web reverse proxy stanza reference - ibm · ibm securityweb gatewayappliance version 7.0 web...

IBM Security Web Gateway ApplianceVersion 7.0

Web Reverse Proxy Stanza Reference

SC27-4443-00

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 325.

Edition notice

Note: This edition applies to version 7, release 0, modification 0 of IBM Security Access Manager (productnumber 5724-C87) and to all subsequent releases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2002, 2012.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

About this publication . . . . . . . . ixIntended audience . . . . . . . . . . . . ixAccess to publications and terminology . . . . . ix

Related publications . . . . . . . . . . xiiAccessibility . . . . . . . . . . . . . . xivTechnical training . . . . . . . . . . . . xivSupport information . . . . . . . . . . . xiv

Stanza reference . . . . . . . . . . . 1[acnt-mgt] stanza . . . . . . . . . . . . . 1

account-expiry-notification. . . . . . . . . 1account-inactivated . . . . . . . . . . . 1account-locked. . . . . . . . . . . . . 2allow-unauthenticated-logout . . . . . . . . 3allowed-referers . . . . . . . . . . . . 3cert-failure . . . . . . . . . . . . . . 4cert-stepup-http . . . . . . . . . . . . 5certificate-login . . . . . . . . . . . . 5change-password-auth . . . . . . . . . . 6client-notify-tod . . . . . . . . . . . . 6enable-html-redirect . . . . . . . . . . . 7enable-local-response-redirect . . . . . . . . 7enable-passwd-warn . . . . . . . . . . . 8enable-secret-token-validation. . . . . . . . 9help . . . . . . . . . . . . . . . . 10http-rsp-header . . . . . . . . . . . . 10html-redirect . . . . . . . . . . . . . 11login. . . . . . . . . . . . . . . . 11login-redirect-page . . . . . . . . . . . 12login-success . . . . . . . . . . . . . 13logout . . . . . . . . . . . . . . . 13passwd-change . . . . . . . . . . . . 14passwd-change-failure . . . . . . . . . . 14passwd-change-success . . . . . . . . . 15passwd-expired . . . . . . . . . . . . 15passwd-warn . . . . . . . . . . . . . 16passwd-warn-failure . . . . . . . . . . 16redirect-to-root-for-pkms . . . . . . . . . 17single-signoff-uri . . . . . . . . . . . 17stepup-login . . . . . . . . . . . . . 18switch-user . . . . . . . . . . . . . 19temp-cache-response . . . . . . . . . . 19too-many-sessions . . . . . . . . . . . 20use-restrictive-logout-filenames . . . . . . . 20use-filename-for-pkmslogout . . . . . . . 21

[auth-cookies] stanza . . . . . . . . . . . 21cookie . . . . . . . . . . . . . . . 21

[authentication-levels] stanza . . . . . . . . 22level . . . . . . . . . . . . . . . . 22

[aznapi-configuration] stanza . . . . . . . . 23audit-attribute . . . . . . . . . . . . 23auditcfg . . . . . . . . . . . . . . 23auditlog . . . . . . . . . . . . . . 24cache-refresh-interval . . . . . . . . . . 25cred-attribute-entitlement-services . . . . . . 25

dynamic-adi-entitlement-services . . . . . . 26input-adi-xml-prolog . . . . . . . . . . 26listen-flags. . . . . . . . . . . . . . 27logaudit . . . . . . . . . . . . . . 27logclientid . . . . . . . . . . . . . . 28logcfg . . . . . . . . . . . . . . . 28logflush . . . . . . . . . . . . . . 29logsize . . . . . . . . . . . . . . . 30permission-info-returned . . . . . . . . . 30policy-attr-separator . . . . . . . . . . 31policy-cache-size. . . . . . . . . . . . 31resource-manager-provided-adi . . . . . . . 32xsl-stylesheet-prolog . . . . . . . . . . 33

[azn-decision-info] stanza. . . . . . . . . . 33azn-decision-info . . . . . . . . . . . . 33

[ba] stanza. . . . . . . . . . . . . . . 34ba-auth . . . . . . . . . . . . . . . 34basic-auth-realm . . . . . . . . . . . . 35

[cdsso] stanza . . . . . . . . . . . . . 35authtoken-lifetime . . . . . . . . . . . 35cdsso-argument . . . . . . . . . . . . 36cdsso-auth . . . . . . . . . . . . . . 36cdsso-create . . . . . . . . . . . . . 37clean-cdsso-urls . . . . . . . . . . . . 37propagate-cdmf-errors . . . . . . . . . . 38use-utf8 . . . . . . . . . . . . . . 38

[cdsso-incoming-attributes] stanza . . . . . . . 39attribute_pattern . . . . . . . . . . . . 39

[cdsso-peers] stanza . . . . . . . . . . . 40fully_qualified_hostname. . . . . . . . . . 40

[cdsso-token-attributes] stanza . . . . . . . . 40<default> . . . . . . . . . . . . . . 40domain_name . . . . . . . . . . . . . 41

[certificate] stanza . . . . . . . . . . . . 42accept-client-certs . . . . . . . . . . . 42cert-cache-max-entries . . . . . . . . . . 42cert-cache-timeout . . . . . . . . . . . 43cert-prompt-max-tries . . . . . . . . . . 43disable-cert-login-page. . . . . . . . . . 44eai-data. . . . . . . . . . . . . . . 45eai-uri . . . . . . . . . . . . . . . 46

[cert-map-authn] stanza . . . . . . . . . . 47debug-level . . . . . . . . . . . . . 47rules-file . . . . . . . . . . . . . . 47

[cfg-db-cmd:entries] stanza . . . . . . . . . 48stanza::entry . . . . . . . . . . . . . 48

[cfg-db-cmd:files] stanza . . . . . . . . . . 49files . . . . . . . . . . . . . . . . 49

[cluster] stanza . . . . . . . . . . . . . 49is-master . . . . . . . . . . . . . . 50master-name . . . . . . . . . . . . . 50max-wait-time . . . . . . . . . . . . 51

[compress-mime-types] stanza . . . . . . . . 51mime_type . . . . . . . . . . . . . . 51

[compress-user-agents] stanza . . . . . . . . 52pattern . . . . . . . . . . . . . . . 52

© Copyright IBM Corp. 2002, 2012 iii

[content] stanza . . . . . . . . . . . . . 53utf8-template-macros-enabled . . . . . . . 53

[content-cache] stanza . . . . . . . . . . . 53MIME_type . . . . . . . . . . . . . 53

[content-encodings] stanza . . . . . . . . . 54extension . . . . . . . . . . . . . . 54

[content-index-icons] stanza . . . . . . . . . 55type . . . . . . . . . . . . . . . . 55

[credential-policy-attributes] stanza . . . . . . 56policy-name. . . . . . . . . . . . . . 56

[credential-refresh-attributes] stanza . . . . . . 57attribute_name_pattern . . . . . . . . . . 57authentication_level . . . . . . . . . . 57

[dsess] stanza. . . . . . . . . . . . . . 58dsess-sess-id-pool-size . . . . . . . . . . 58dsess-cluster-name . . . . . . . . . . . 58

[dsess-cluster] stanza . . . . . . . . . . . 59basic-auth-user . . . . . . . . . . . . 59basic-auth-passwd . . . . . . . . . . . 59gsk-attr-name. . . . . . . . . . . . . 60handle-idle-timeout. . . . . . . . . . . 61handle-pool-size . . . . . . . . . . . . 61response-by . . . . . . . . . . . . . 62server . . . . . . . . . . . . . . . 62ssl-fips-enabled . . . . . . . . . . . . 63ssl-keyfile . . . . . . . . . . . . . . 64ssl-keyfile-label . . . . . . . . . . . . 64ssl-keyfile-stash . . . . . . . . . . . . 65ssl-valid-server-dn . . . . . . . . . . . 65timeout . . . . . . . . . . . . . . . 66

[eai] stanza . . . . . . . . . . . . . . 66eai-auth . . . . . . . . . . . . . . 66eai-auth-level-header . . . . . . . . . . 67eai-flags-header . . . . . . . . . . . . 67eai-pac-header . . . . . . . . . . . . 68eai-pac-svc-header . . . . . . . . . . . 68eai-redir-url-header . . . . . . . . . . . 69eai-session-id-header . . . . . . . . . . 69eai-user-id-header . . . . . . . . . . . 70eai-verify-user-identity. . . . . . . . . . 70eai-xattrs-header . . . . . . . . . . . . 71retain-eai-session . . . . . . . . . . . 72

[eai-trigger-urls] stanza . . . . . . . . . . 72trigger . . . . . . . . . . . . . . . 72trigger . . . . . . . . . . . . . . . 73

[e-community-domains] stanza . . . . . . . . 74name . . . . . . . . . . . . . . . 74

[e-community-domain-keys] stanza . . . . . . 74domain_name . . . . . . . . . . . . . 74

[e-community-domain-keys:domain] stanza . . . . 75domain_name . . . . . . . . . . . . . 75

[e-community-sso] stanza. . . . . . . . . . 75cache-requests-for-ecsso . . . . . . . . . 75e-community-name . . . . . . . . . . . 76disable-ec-cookie . . . . . . . . . . . 76e-community-sso-auth . . . . . . . . . . 77ec-cookie-domain . . . . . . . . . . . 77ec-cookie-lifetime . . . . . . . . . . . 78ecsso-allow-unauth . . . . . . . . . . . 78ecsso-propagate-errors . . . . . . . . . . 79handle-auth-failure-at-mas . . . . . . . . 79

is-master-authn-server . . . . . . . . . . 80master-authn-server . . . . . . . . . . 80master-http-port . . . . . . . . . . . . 81master-https-port . . . . . . . . . . . 82propagate-cdmf-errors . . . . . . . . . . 82use-utf8 . . . . . . . . . . . . . . 83vf-argument . . . . . . . . . . . . . 83vf-token-lifetime . . . . . . . . . . . . 84vf-url . . . . . . . . . . . . . . . 84

[ecsso-incoming-attributes] stanza . . . . . . . 85attribute_pattern . . . . . . . . . . . . 85

[ecsso-token-attributes] stanza . . . . . . . . 86<default> . . . . . . . . . . . . . . 86domain_name . . . . . . . . . . . . . 86

[enable-redirects] stanza . . . . . . . . . . 87redirect . . . . . . . . . . . . . . . 87

[failover] stanza . . . . . . . . . . . . . 87clean-ecsso-urls-for-failover . . . . . . . . 87enable-failover-cookie-for-domain . . . . . . 88failover-auth . . . . . . . . . . . . . 89failover-cookie-lifetime . . . . . . . . . 89failover-cookies-keyfile . . . . . . . . . 90failover-include-session-id . . . . . . . . 90failover-require-activity-timestamp-validation . . 91failover-require-lifetime-timestamp-validation . . 91failover-update-cookie . . . . . . . . . . 92reissue-missing-failover-cookie . . . . . . . 92use-utf8 . . . . . . . . . . . . . . 93

[failover-add-attributes] stanza . . . . . . . . 93attribute_pattern . . . . . . . . . . . . 93session-activity-timestamp . . . . . . . . 94session-lifetime-timestamp . . . . . . . . 94

[failover-restore-attributes] stanza . . . . . . . 95attribute_pattern . . . . . . . . . . . . 95attribute_pattern . . . . . . . . . . . . 96

[filter-content-types] stanza . . . . . . . . . 96type . . . . . . . . . . . . . . . . 96

[filter-events] stanza . . . . . . . . . . . 97HTML_tag . . . . . . . . . . . . . . 97

[filter-request-headers] stanza . . . . . . . . 99header . . . . . . . . . . . . . . . 99

[filter-schemes] stanza . . . . . . . . . . 100scheme . . . . . . . . . . . . . . 100

[filter-url] stanza . . . . . . . . . . . . 101HTML_tag . . . . . . . . . . . . . 101

[flow-data] stanza . . . . . . . . . . . . 102flow-data-enabled . . . . . . . . . . . 102flow-data-stats-interval . . . . . . . . . 103

[forms] stanza . . . . . . . . . . . . . 103allow-empty-form-fields . . . . . . . . . 103forms-auth . . . . . . . . . . . . . 104

[gso-cache] stanza . . . . . . . . . . . . 105gso-cache-enabled . . . . . . . . . . . 105gso-cache-entry-idle-timeout . . . . . . . 105gso-cache-entry-lifetime . . . . . . . . . 106gso-cache-size . . . . . . . . . . . . 106

[header-names] stanza . . . . . . . . . . 107server-name . . . . . . . . . . . . . 107

[http-transformations] stanza . . . . . . . . 107resource-name . . . . . . . . . . . . 107

[ICAP:<resource>] stanza . . . . . . . . . 109

iv IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference

URL . . . . . . . . . . . . . . . 109transaction . . . . . . . . . . . . . 109timeout . . . . . . . . . . . . . . 110

[illegal-url-substrings] stanza . . . . . . . . 110substring . . . . . . . . . . . . . . 110

[interfaces] stanza . . . . . . . . . . . . 111interface_name . . . . . . . . . . . . 111

[itim] stanza . . . . . . . . . . . . . . 112is-enabled . . . . . . . . . . . . . 112itim-server-name . . . . . . . . . . . 112itim-servlet-context . . . . . . . . . . 113keydatabase-file . . . . . . . . . . . 114keydatabase-password . . . . . . . . . 114keydatabase-password-file . . . . . . . . 115principal-name . . . . . . . . . . . . 116principal-password . . . . . . . . . . 116service-password-dn . . . . . . . . . . 117service-source-dn . . . . . . . . . . . 118service-token-card-dn. . . . . . . . . . 119servlet-port . . . . . . . . . . . . . 120

[jdb-cmd:replace] stanza . . . . . . . . . . 120jct-id=search-attr-value|replace-attr-value . . . . 120

[junction] stanza . . . . . . . . . . . . 121allow-backend-domain-cookies . . . . . . 121basicauth-dummy-passwd . . . . . . . . 122crl-ldap-server . . . . . . . . . . . . 122crl-ldap-server-port . . . . . . . . . . 123crl-ldap-user. . . . . . . . . . . . . 123crl-ldap-user-password . . . . . . . . . 124disable-ssl-v2 . . . . . . . . . . . . 124disable-ssl-v3 . . . . . . . . . . . . 125disable-tls-v1 . . . . . . . . . . . . 125disable-tls-v11 . . . . . . . . . . . . 126disable-tls-v12 . . . . . . . . . . . . 126dont-reprocess-jct-404s . . . . . . . . . 127dynamic-addresses . . . . . . . . . . 128http-timeout . . . . . . . . . . . . . 129https-timeout . . . . . . . . . . . . 129insert-client-real-ip-for-option-r . . . . . . 130io-buffer-size . . . . . . . . . . . . 130jct-cert-keyfile . . . . . . . . . . . . 131jct-cert-keyfile-stash . . . . . . . . . . 132jct-cert-keyfile-pwd . . . . . . . . . . 133jct-ocsp-enable . . . . . . . . . . . . 133jct-ocsp-max-response-size . . . . . . . . 134jct-ocsp-nonce-check-enable. . . . . . . . 134jct-ocsp-nonce-generation-enable . . . . . . 135jct-ocsp-proxy-server-name . . . . . . . . 135jct-ocsp-proxy-server-port . . . . . . . . 136jct-ocsp-url . . . . . . . . . . . . . 136jct-ssl-reneg-warning-rate . . . . . . . . 137jct-undetermined-revocation-cert-action. . . . 137jmt-map . . . . . . . . . . . . . . 138managed-cookies-list . . . . . . . . . . 139mangle-domain-cookies . . . . . . . . . 139match-vhj-first . . . . . . . . . . . . 140max-cached-persistent-connections . . . . . 140max-webseal-header-size . . . . . . . . 141pass-http-only-cookie-atr . . . . . . . . 142persistent-con-timeout . . . . . . . . . 142ping-method . . . . . . . . . . . . 143

ping-time. . . . . . . . . . . . . . 144ping-uri . . . . . . . . . . . . . . 144recovery-ping-time . . . . . . . . . . 145reprocess-root-jct-404s . . . . . . . . . 146reset-cookies-list . . . . . . . . . . . 146response-code-rules . . . . . . . . . . 147share-cookies . . . . . . . . . . . . 148support-virtual-host-domain-cookies. . . . . 148use-new-stateful-on-error . . . . . . . . 149validate-backend-domain-cookies . . . . . . 150worker-thread-hard-limit . . . . . . . . 150worker-thread-soft-limit . . . . . . . . . 151disable-local-junctions . . . . . . . . . 151

[junction:junction_name] stanza . . . . . . . 152[ldap] stanza . . . . . . . . . . . . . 152

auth-timeout . . . . . . . . . . . . 152auth-using-compare . . . . . . . . . . 153bind-dn . . . . . . . . . . . . . . 153bind-pwd. . . . . . . . . . . . . . 154cache-enabled . . . . . . . . . . . . 154cache-group-expire-time . . . . . . . . . 155cache-group-membership . . . . . . . . 155cache-group-size . . . . . . . . . . . 156cache-policy-expire-time . . . . . . . . . 156cache-policy-size . . . . . . . . . . . 157cache-return-registry-id . . . . . . . . . 157cache-user-expire-time . . . . . . . . . 158cache-user-size . . . . . . . . . . . . 158cache-use-user-cache . . . . . . . . . . 159default-policy-override-support . . . . . . 159enabled . . . . . . . . . . . . . . 160host . . . . . . . . . . . . . . . 161login-failures-persistent . . . . . . . . . 161max-search-size. . . . . . . . . . . . 162prefer-readwrite-server . . . . . . . . . 162port . . . . . . . . . . . . . . . 163replica. . . . . . . . . . . . . . . 163search-timeout . . . . . . . . . . . . 164ssl-enabled . . . . . . . . . . . . . 165ssl-keyfile . . . . . . . . . . . . . 165ssl-keyfile-dn . . . . . . . . . . . . 166ssl-keyfile-pwd . . . . . . . . . . . . 167ssl-port . . . . . . . . . . . . . . 167timeout . . . . . . . . . . . . . . 168user-and-group-in-same-suffix . . . . . . . 168

[local-response-macros] stanza. . . . . . . . 169macro . . . . . . . . . . . . . . . 169

[local-response-redirect] stanza . . . . . . . 170local-response-redirect-uri . . . . . . . . 170

[logging] stanza . . . . . . . . . . . . 171absolute-uri-in-request-log . . . . . . . . 171agents . . . . . . . . . . . . . . . 171audit-mime-types . . . . . . . . . . . 172audit-response-codes . . . . . . . . . . 172flush-time . . . . . . . . . . . . . 173gmt-time . . . . . . . . . . . . . . 173host-header-in-request-log . . . . . . . . 174log-invalid-requests . . . . . . . . . . 174max-size . . . . . . . . . . . . . . 175referers . . . . . . . . . . . . . . 175requests . . . . . . . . . . . . . . 176

Contents v

request-log-format . . . . . . . . . . . 176server-log-cfg . . . . . . . . . . . . 178

[ltpa] stanza . . . . . . . . . . . . . . 179ltpa-auth . . . . . . . . . . . . . . 179cookie-name. . . . . . . . . . . . . 180cookie-domain . . . . . . . . . . . . 180jct-ltpa-cookie-name . . . . . . . . . . 181keyfile . . . . . . . . . . . . . . . 182update-cookie . . . . . . . . . . . . 182use-full-dn . . . . . . . . . . . . . 183

[ltpa-cache] stanza. . . . . . . . . . . . 183ltpa-cache-enabled. . . . . . . . . . . 183ltpa-cache-entry-idle-timeout . . . . . . . 184ltpa-cache-entry-lifetime . . . . . . . . . 184ltpa-cache-size . . . . . . . . . . . . 185

[mpa] stanza . . . . . . . . . . . . . 185mpa . . . . . . . . . . . . . . . 185

[oauth-eas] stanza . . . . . . . . . . . . 186apply-tam-native-policy . . . . . . . . . 186bad-gateway-rsp-file . . . . . . . . . . 187bad-request-rsp-file . . . . . . . . . . 187cache-size . . . . . . . . . . . . . 188cluster-name. . . . . . . . . . . . . 188default-fed-id . . . . . . . . . . . . 189default-mode . . . . . . . . . . . . 189fed-id-param . . . . . . . . . . . . 190mode-param. . . . . . . . . . . . . 191realm-name . . . . . . . . . . . . . 191trace-component . . . . . . . . . . . 192unauthorized-rsp-file . . . . . . . . . . 192

[obligations-levels-mapping] stanza . . . . . . 193obligation . . . . . . . . . . . . . . 193

[p3p-header] stanza . . . . . . . . . . . 194access . . . . . . . . . . . . . . . 194categories . . . . . . . . . . . . . 195disputes . . . . . . . . . . . . . . 196non-identifiable. . . . . . . . . . . . 197p3p-element . . . . . . . . . . . . . 197purpose . . . . . . . . . . . . . . 198recipient . . . . . . . . . . . . . . 199remedies . . . . . . . . . . . . . . 200retention . . . . . . . . . . . . . . 201

[PAM] stanza . . . . . . . . . . . . . 202pam-enabled . . . . . . . . . . . . 202pam-max-memory . . . . . . . . . . . 202pam-use-proxy-header . . . . . . . . . 203pam-http-parameter . . . . . . . . . . 203pam-coalescer-parameter . . . . . . . . 204pam-log-cfg . . . . . . . . . . . . . 205pam-log-audit-events . . . . . . . . . . 206pam-disabled-issues . . . . . . . . . . 206pam-resource-rule . . . . . . . . . . . 207

[pam-resource:<URI>] stanza . . . . . . . . 208pam-issue . . . . . . . . . . . . . . 208

[preserve-cookie-names] stanza . . . . . . . 209name . . . . . . . . . . . . . . . 209

[process-root-filter] stanza . . . . . . . . . 209root . . . . . . . . . . . . . . . 209

[reauthentication] stanza. . . . . . . . . . 210reauth-at-any-level . . . . . . . . . . 210reauth-extend-lifetime . . . . . . . . . 210

reauth-for-inactive . . . . . . . . . . . 211reauth-reset-lifetime . . . . . . . . . . 211terminate-on-reauth-lockout . . . . . . . 212

[replica-sets] stanza . . . . . . . . . . . 213replica-set . . . . . . . . . . . . . 213

[rtss-eas] stanza . . . . . . . . . . . . 213apply-tam-native-policy . . . . . . . . . 213audit-log-cfg. . . . . . . . . . . . . 214cluster-name. . . . . . . . . . . . . 215context-id . . . . . . . . . . . . . 216trace-component . . . . . . . . . . . 216

[rtss-cluster:<cluster>] stanza . . . . . . . . 217basic-auth-user . . . . . . . . . . . . 217basic-auth-passwd . . . . . . . . . . . 217handle-idle-timeout . . . . . . . . . . 218handle-pool-size . . . . . . . . . . . 218server . . . . . . . . . . . . . . . 219ssl-fips-enabled . . . . . . . . . . . . 220ssl-keyfile . . . . . . . . . . . . . 220ssl-keyfile-label . . . . . . . . . . . . 221ssl-keyfile-stash. . . . . . . . . . . . 222ssl-valid-server-dn. . . . . . . . . . . 222timeout . . . . . . . . . . . . . . 223

[script-filtering] stanza . . . . . . . . . . 223hostname-junction-cookie . . . . . . . . 223rewrite-absolute-with-absolute. . . . . . . 224script-filter . . . . . . . . . . . . . 224

[server] stanza . . . . . . . . . . . . . 225allow-shift-jis-chars . . . . . . . . . . 225allow-unauth-ba-supply . . . . . . . . . 225allow-unsolicited-logins . . . . . . . . . 226auth-challenge-type . . . . . . . . . . 227cache-host-header . . . . . . . . . . . 228capitalize-content-length. . . . . . . . . 229client-connect-timeout . . . . . . . . . 229chunk-responses . . . . . . . . . . . 230concurrent-session-threads-hard-limit . . . . 230concurrent-session-threads-soft-limit . . . . . 231connection-request-limit . . . . . . . . . 231cope-with-pipelined-request . . . . . . . 232decode-query . . . . . . . . . . . . 232disable-timeout-reduction . . . . . . . . 233double-byte-encoding. . . . . . . . . . 233dynurl-allow-large-posts. . . . . . . . . 234dynurl-map . . . . . . . . . . . . . 235enable-IE6-2GB-downloads . . . . . . . . 235filter-nonhtml-as-xhtml . . . . . . . . . 236force-tag-value-prefix . . . . . . . . . . 236http . . . . . . . . . . . . . . . 237http-method-disabled-local . . . . . . . . 237http-method-disabled-remote . . . . . . . 238http-port . . . . . . . . . . . . . . 238https . . . . . . . . . . . . . . . 239https-port . . . . . . . . . . . . . 239ignore-missing-last-chunk . . . . . . . . 240intra-connection-timeout. . . . . . . . . 240io-buffer-size . . . . . . . . . . . . 241ip-support-level . . . . . . . . . . . 242ipv6-support . . . . . . . . . . . . 243late-lockout-notification . . . . . . . . . 243max-client-read . . . . . . . . . . . . 244

vi IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference

max-file-cat-command-length . . . . . . . 244max-file-descriptors . . . . . . . . . . 245max-idle-persistent-connections . . . . . . 246network-interface . . . . . . . . . . . 246persistent-con-timeout . . . . . . . . . 247pre-410-compatible-tokens . . . . . . . . 247pre-510-compatible-token . . . . . . . . 248preserve-base-href . . . . . . . . . . . 248preserve-base-href2 . . . . . . . . . . 249preserve-p3p-policy . . . . . . . . . . 249process-root-requests . . . . . . . . . . 250redirect-using-relative . . . . . . . . . 250reject-invalid-host-header . . . . . . . . 251reject-request-transfer-encodings . . . . . . 252request-body-max-read . . . . . . . . . 252request-max-cache . . . . . . . . . . . 253send-header-ba-first . . . . . . . . . . 253send-header-spnego-first. . . . . . . . . 254server-name . . . . . . . . . . . . . 255slash-before-query-on-redirect . . . . . . . 255strip-www-authenticate-headers . . . . . . 256suppress-backend-server-identity . . . . . . 256suppress-dynurl-parsing-of-posts . . . . . . 257suppress-server-identity . . . . . . . . . 258tag-value-missing-attr-tag . . . . . . . . 258use-existing-username-macro-in-custom-redirects 259use-http-only-cookies . . . . . . . . . . 259utf8-form-support-enabled . . . . . . . . 260utf8-qstring-support-enabled . . . . . . . 260utf8-url-support-enabled. . . . . . . . . 261validate-query-as-ga . . . . . . . . . . 261web-host-name . . . . . . . . . . . . 262web-http-port . . . . . . . . . . . . 263web-http-protocol . . . . . . . . . . . 263worker-threads . . . . . . . . . . . . 264

[session] stanza. . . . . . . . . . . . . 264dsess-enabled . . . . . . . . . . . . 264dsess-last-access-update-interval . . . . . . 265enforce-max-sessions-policy . . . . . . . 265inactive-timeout . . . . . . . . . . . 266logout-remove-cookie. . . . . . . . . . 266max-entries . . . . . . . . . . . . . 267prompt-for-displacement . . . . . . . . 268register-authentication-failures . . . . . . . 268require-mpa . . . . . . . . . . . . . 269resend-webseal-cookies . . . . . . . . . 269send-constant-sess . . . . . . . . . . . 270shared-domain-cookie . . . . . . . . . 270ssl-id-sessions . . . . . . . . . . . . 271ssl-session-cookie-name . . . . . . . . . 271standard-junction-replica-set . . . . . . . 272tcp-session-cookie-name . . . . . . . . . 272temp-session-cookie-name . . . . . . . . 273temp-session-max-lifetime . . . . . . . . 273timeout . . . . . . . . . . . . . . 274update-session-cookie-in-login-request . . . . 275user-session-ids. . . . . . . . . . . . 275user-session-ids-include-replica-set . . . . . 276use-same-session . . . . . . . . . . . 276

[session-cookie-domains] stanza . . . . . . . 277domain . . . . . . . . . . . . . . 277

[session-http-headers] stanza . . . . . . . . 277header_name . . . . . . . . . . . . . 277

[ssl] stanza . . . . . . . . . . . . . . 278base-crypto-library . . . . . . . . . . 278crl-ldap-server . . . . . . . . . . . . 278crl-ldap-server-port . . . . . . . . . . 279crl-ldap-user. . . . . . . . . . . . . 280crl-ldap-user-password . . . . . . . . . 280disable-ssl-v2 . . . . . . . . . . . . 281disable-ssl-v3 . . . . . . . . . . . . 281disable-tls-v1 . . . . . . . . . . . . 282disable-tls-v11 . . . . . . . . . . . . 282disable-tls-v12 . . . . . . . . . . . . 283enable-duplicate-ssl-dn-not-found-msgs . . . 283fips-mode-processing . . . . . . . . . . 284gsk-attr-name . . . . . . . . . . . . 284gsk-crl-cache-entry-lifetime . . . . . . . . 286gsk-crl-cache-size . . . . . . . . . . . 286jct-gsk-attr-name . . . . . . . . . . . 287ocsp-enable . . . . . . . . . . . . . 288ocsp-max-response-size . . . . . . . . . 289ocsp-nonce-check-enable. . . . . . . . . 289ocsp-nonce-generation-enable . . . . . . . 290ocsp-proxy-server-name . . . . . . . . . 290ocsp-proxy-server-port . . . . . . . . . 291ocsp-url . . . . . . . . . . . . . . 291ssl-keyfile . . . . . . . . . . . . . 292ssl-keyfile-label . . . . . . . . . . . . 292ssl-keyfile-pwd . . . . . . . . . . . . 293ssl-keyfile-stash. . . . . . . . . . . . 293ssl-local-domain . . . . . . . . . . . 294ssl-max-entries . . . . . . . . . . . . 294ssl-v2-timeout . . . . . . . . . . . . 295ssl-v3-timeout . . . . . . . . . . . . 296suppress-client-ssl-errors . . . . . . . . 296undetermined-revocation-cert-action . . . . . 297webseal-cert-keyfile . . . . . . . . . . 297webseal-cert-keyfile-label . . . . . . . . 298webseal-cert-keyfile-pwd . . . . . . . . 298webseal-cert-keyfile-stash . . . . . . . . 299

[ssl-qop] stanza. . . . . . . . . . . . . 299ssl-qop-mgmt . . . . . . . . . . . . 299

[ssl-qop-mgmt-default] stanza . . . . . . . . 300default . . . . . . . . . . . . . . 300

[ssl-qop-mgmt-hosts] stanza . . . . . . . . 301host-ip . . . . . . . . . . . . . . . 301

[ssl-qop-mgmt-networks] stanza . . . . . . . 302network/netmask . . . . . . . . . . . . 302

[step-up] stanza . . . . . . . . . . . . 303retain-stepup-session . . . . . . . . . . 303show-all-auth-prompts . . . . . . . . . 303step-up-at-higher-level . . . . . . . . . 304verify-step-up-user . . . . . . . . . . 304

[system-environment-variables] stanza . . . . . 305env-name . . . . . . . . . . . . . . 305

[tfimsso:<jct-id>] stanza . . . . . . . . . . 306always-send-tokens . . . . . . . . . . 306applies-to. . . . . . . . . . . . . . 307one-time-token . . . . . . . . . . . . 307preserve-xml-token . . . . . . . . . . 308renewal-window . . . . . . . . . . . 308

Contents vii

service-name . . . . . . . . . . . . 309tfim-cluster-name . . . . . . . . . . . 309token-collection-size . . . . . . . . . . 310token-type . . . . . . . . . . . . . 310token-transmit-name . . . . . . . . . . 311token-transmit-type . . . . . . . . . . 311

[tfim-cluster:<cluster>] stanza . . . . . . . . 312basic-auth-user . . . . . . . . . . . . 312basic-auth-passwd . . . . . . . . . . . 312gsk-attr-name . . . . . . . . . . . . 313handle-idle-timeout . . . . . . . . . . 314handle-pool-size . . . . . . . . . . . 314server . . . . . . . . . . . . . . . 315ssl-fips-enabled . . . . . . . . . . . . 316ssl-keyfile . . . . . . . . . . . . . 316ssl-keyfile-label . . . . . . . . . . . . 317

ssl-keyfile-stash. . . . . . . . . . . . 318ssl-valid-server-dn. . . . . . . . . . . 318timeout . . . . . . . . . . . . . . 319

[uraf-registry] stanza . . . . . . . . . . . 319bind-id . . . . . . . . . . . . . . 319cache-lifetime . . . . . . . . . . . . 320cache-mode . . . . . . . . . . . . . 321cache-size . . . . . . . . . . . . . 321

[user-agent] stanza . . . . . . . . . . . 322user-agent . . . . . . . . . . . . . . 322

Notices . . . . . . . . . . . . . . 325

Index . . . . . . . . . . . . . . . 329

viii IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference

About this publication

Welcome to the IBM Security Web Gateway Appliance: Web Reverse Proxy StanzaReference.

IBM Security Access Manager for Web, formerly called IBM Tivoli Access Managerfor e-business, is a user authentication, authorization, and web single sign-onsolution for enforcing security policies over a wide range of web and applicationresources.

The IBM Security Web Gateway Appliance includes Security Access Manager. Theappliance uses a Web Reverse Proxy to provide user access and authenticationmanagement for web application sessions. This guide uses the term WebSEAL toreference this proxy.

Security Access Manager WebSEAL is the resource manager for web-basedresources in a Security Access Manager secure domain. WebSEAL is a highperformance, multi-threaded web server that applies fine-grained security policy tothe protected web object space. WebSEAL can provide single signon solutions andincorporate back-end web application server resources into its security policy.

This guide provides the complete stanza reference for configuring WebSEAL. Youcan use this guide in conjunction with the IBM Security Web Gateway Appliance:Configuration Guide for Web Reverse Proxy, which provides valuable background andconcept information for the wide range of WebSEAL functionality.

Intended audienceThis guide is for system administrators responsible for configuring andmaintaining a Security Access Manager WebSEAL environment.

Readers should be familiar with the following:v PC and UNIX or Linux operating systemsv Database architecture and conceptsv Security managementv Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and

Telnetv Lightweight Directory Access Protocol (LDAP) and directory servicesv A supported user registryv WebSphere® Application Server administrationv Authentication and authorization

If you are enabling Secure Sockets Layer (SSL) communication, you also should befamiliar with SSL protocol, key exchange (public and private), digital signatures,cryptographic algorithms, and certificate authorities.

Access to publications and terminologyThis section provides:

© Copyright IBM Corp. 2002, 2012 ix

v A list of publications in the “IBM Security Access Manager for Web library.”v Links to “Online publications” on page xii.v A link to the “IBM Terminology website” on page xii.

IBM Security Access Manager for Web library

The following documents are in the IBM Security Access Manager for Web library:v IBM Security Access Manager for Web Quick Start Guide, GI11-9333-01

Provides steps that summarize major installation and configuration tasks.v IBM Security Web Gateway Appliance Quick Start Guide – Hardware Offering

Guides users through the process of connecting and completing the initialconfiguration of the WebSEAL Hardware Appliance, SC22-5434-00

v IBM Security Web Gateway Appliance Quick Start Guide – Virtual OfferingGuides users through the process of connecting and completing the initialconfiguration of the WebSEAL Virtual Appliance.

v IBM Security Access Manager for Web Installation Guide, GC23-6502-02Explains how to install and configure Security Access Manager.

v IBM Security Access Manager for Web Upgrade Guide, SC23-6503-02Provides information for users to upgrade from version 6.0, or 6.1.x to version7.0.

v IBM Security Access Manager for Web Administration Guide, SC23-6504-02Describes the concepts and procedures for using Security Access Manager.Provides instructions for performing tasks from the Web Portal Managerinterface and by using the pdadmin utility.

v IBM Security Access Manager for Web WebSEAL Administration Guide, SC23-6505-02Provides background material, administrative procedures, and referenceinformation for using WebSEAL to manage the resources of your secure Webdomain.

v IBM Security Access Manager for Web Plug-in for Web Servers Administration Guide,SC23-6507-02Provides procedures and reference information for securing your Web domainby using a Web server plug-in.

v IBM Security Access Manager for Web Shared Session Management AdministrationGuide, SC23-6509-02Provides administrative considerations and operational instructions for thesession management server.

v IBM Security Access Manager for Web Shared Session Management Deployment Guide,SC22-5431-00Provides deployment considerations for the session management server.

v IBM Security Web Gateway Appliance Administration Guide, SC22-5432-00Provides administrative procedures and technical reference information for theWebSEAL Appliance.

v IBM Security Web Gateway Appliance Configuration Guide for Web Reverse Proxy,SC22-5433-00Provides configuration procedures and technical reference information for theWebSEAL Appliance.

v IBM Security Web Gateway Appliance Web Reverse Proxy Stanza Reference,SC27-4442-00

x IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference

Provides a complete stanza reference for the IBM® Security Web GatewayAppliance Web Reverse Proxy.

v IBM Security Access Manager for Web WebSEAL Configuration Stanza Reference,SC27-4443-00Provides a complete stanza reference for the WebSEAL Appliance.

v IBM Global Security Kit: CapiCmd Users Guide, SC22-5459-00Provides instructions on creating key databases, public-private key pairs, andcertificate requests.

v IBM Security Access Manager for Web Auditing Guide, SC23-6511-02Provides information about configuring and managing audit events by using thenative Security Access Manager approach and the Common Auditing andReporting Service. You can also find information about installing andconfiguring the Common Auditing and Reporting Service. Use this service forgenerating and viewing operational reports.

v IBM Security Access Manager for Web Command Reference, SC23-6512-02Provides reference information about the commands, utilities, and scripts thatare provided with Security Access Manager.

v IBM Security Access Manager for Web Administration C API Developer Reference,SC23-6513-02Provides reference information about using the C language implementation ofthe administration API to enable an application to perform Security AccessManager administration tasks.

v IBM Security Access Manager for Web Administration Java Classes DeveloperReference, SC23-6514-02Provides reference information about using the Java™ language implementationof the administration API to enable an application to perform Security AccessManager administration tasks.

v IBM Security Access Manager for Web Authorization C API Developer Reference,SC23-6515-02Provides reference information about using the C language implementation ofthe authorization API to enable an application to use Security Access Managersecurity.

v IBM Security Access Manager for Web Authorization Java Classes Developer Reference,SC23-6516-02Provides reference information about using the Java language implementation ofthe authorization API to enable an application to use Security Access Managersecurity.

v IBM Security Access Manager for Web Web Security Developer Reference,SC23-6517-02Provides programming and reference information for developing authenticationmodules.

v IBM Security Access Manager for Web Error Message Reference, GI11-8157-02Provides explanations and corrective actions for the messages and return code.

v IBM Security Access Manager for Web Troubleshooting Guide, GC27-2717-01Provides problem determination information.

v IBM Security Access Manager for Web Performance Tuning Guide, SC23-6518-02Provides performance tuning information for an environment that consists ofSecurity Access Manager with the IBM Tivoli Directory Server as the userregistry.

About this publication xi

Online publications

IBM posts product publications when the product is released and when thepublications are updated at the following locations:

IBM Security Access Manager for Web Information CenterThe http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/welcome.html site displays the information centerwelcome page for this product.

IBM Publications CenterThe http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss site offers customized search functions to help you find all the IBMpublications that you need.

IBM Terminology website

The IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology.

Related publicationsThis section lists the IBM products that are related to and included with theSecurity Access Manager solution.

Note: The following middleware products are not packaged with IBM SecurityWeb Gateway Appliance.

IBM Global Security Kit

Security Access Manager provides data encryption by using Global Security Kit(GSKit) version 8.0.x. GSKit is included on the IBM Security Access Manager for WebVersion 7.0 product image or DVD for your particular platform.

GSKit version 8 includes the command-line tool for key management,GSKCapiCmd (gsk8capicmd_64).

GSKit version 8 no longer includes the key management utility, iKeyman(gskikm.jar). iKeyman is packaged with IBM Java version 6 or later and is now apure Java application with no dependency on the native GSKit runtime. Do notmove or remove the bundled java/jre/lib/gskikm.jar library.

The IBM Developer Kit and Runtime Environment, Java Technology Edition, Version 6and 7, iKeyman User's Guide for version 8.0 is available on the Security AccessManager Information Center. You can also find this document directly at:

http://download.boulder.ibm.com/ibmdl/pub/software/dw/jdk/security/60/iKeyman.8.User.Guide.pdf

Note:

GSKit version 8 includes important changes made to the implementation ofTransport Layer Security required to remediate security issues.

The GSKit version 8 changes comply with the Internet Engineering Task Force(IETF) Request for Comments (RFC) requirements. However, it is not compatible

xii IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/welcome.html

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/welcome.html

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/software/globalization/terminology



with earlier versions of GSKit. Any component that communicates with SecurityAccess Manager that uses GSKit must be upgraded to use GSKit version 7.0.4.42,or 8.0.14.26 or later. Otherwise, communication problems might occur.

IBM Tivoli Directory Server

IBM Tivoli Directory Server version 6.3 FP17 (6.3.0.17-ISS-ITDS-FP0017) is includedon the IBM Security Access Manager for Web Version 7.0 product image or DVD foryour particular platform.

You can find more information about Tivoli Directory Server at:

http://www.ibm.com/software/tivoli/products/directory-server/

IBM Tivoli Directory Integrator

IBM Tivoli Directory Integrator version 7.1.1 is included on the IBM Tivoli DirectoryIntegrator Identity Edition V 7.1.1 for Multiplatform product image or DVD for yourparticular platform.

You can find more information about IBM Tivoli Directory Integrator at:

http://www.ibm.com/software/tivoli/products/directory-integrator/

IBM DB2 Universal Database™

IBM DB2 Universal Database Enterprise Server Edition, version 9.7 FP4 is providedon the IBM Security Access Manager for Web Version 7.0 product image or DVD foryour particular platform. You can install DB2® with the Tivoli Directory Serversoftware, or as a stand-alone product. DB2 is required when you use TivoliDirectory Server or z/OS® LDAP servers as the user registry for Security AccessManager. For z/OS LDAP servers, you must separately purchase DB2.

You can find more information about DB2 at:

http://www.ibm.com/software/data/db2

IBM WebSphere products

The installation packages for WebSphere Application Server Network Deployment,version 8.0, and WebSphere eXtreme Scale, version 8.5.0.1, are included withSecurity Access Manager version 7.0. WebSphere eXtreme Scale is required onlywhen you use the Session Management Server (SMS) component.

WebSphere Application Server enables the support of the following applications:v Web Portal Manager interface, which administers Security Access Manager.v Web Administration Tool, which administers Tivoli Directory Server.v Common Auditing and Reporting Service, which processes and reports on audit

events.v Session Management Server, which manages shared session in a Web security

server environment.v Attribute Retrieval Service.

You can find more information about WebSphere Application Server at:

About this publication xiii

http://www.ibm.com/software/tivoli/products/directory-server

http://www.ibm.com/software/tivoli/products/directory-integrator/

http://www.ibm.com/software/data/db2

http://www.ibm.com/software/webservers/appserv/was/library/

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

Visit the IBM Accessibility Center for more information about IBM's commitmentto accessibility.

Technical trainingFor technical training information, see the following IBM Education website athttp://www.ibm.com/software/tivoli/education.

Support informationIBM Support provides assistance with code-related problems and routine, shortduration installation or usage questions. You can directly access the IBM SoftwareSupport site at http://www.ibm.com/software/support/probsub.html.

The IBM Security Access Manager for Web Troubleshooting Guide provides detailsabout:v What information to collect before you contact IBM Support.v The various methods for contacting IBM Support.v How to use IBM Support Assistant.v Instructions and problem-determination resources to isolate and fix the problem

yourself.

Note: The Community and Support tab on the product information center canprovide more support resources.

xiv IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference

http://www.ibm.com/software/webservers/appserv/was/library/

http://www-03.ibm.com/able/

http://www.ibm.com/software/tivoli/education

http://www.ibm.com/software/support/probsub.html

Stanza reference

This guide provides a complete stanza reference for the WebSEAL configurationfile, alphabetized by stanza name.

You can use the IBM Security Web Gateway Appliance Local ManagementInterface (LMI) to edit the WebSEAL configuration file. On the Reverse Proxymanagement page, select the appropriate WebSEAL instance and click Manage >Configuration > Edit Configuration File to open the Advanced Configuration FileEditor. You can use this editor to directly edit the WebSEAL configuration file.

For more details about the WebSEAL configuration file naming and structure, seethe IBM Security Web Gateway Appliance: Configuration Guide for Web Reverse Proxy.For more information about administering the appliance and navigating the LMI,see the IBM Security Web Gateway Appliance: Administration Guide.

[acnt-mgt] stanza

account-expiry-notification

Syntaxaccount-expiry-notification = {yes|no}

Description

Specifies whether WebSEAL informs the user of the reason for a login failure whenthe failure is due to an invalid or expired account. When this entry is set to no, theuser receives the same error message as that which is sent when a login fails dueto invalid authentication information, such as an invalid user name or password.

Options

yes Enable.

no Disable.

Usage

This stanza entry is required.

Default value

no

Exampleaccount-expiry-notification = yes

account-inactivated

Syntaxaccount-inactivated = filename

© Copyright IBM Corp. 2002, 2012 1

Description

Page displayed when nsAccountLock is true for a user (in Sun Directory Server)when they attempt to login. This page will only be displayed if they provide thecorrect password during login.

NOTE: This option has no effect unless the corresponding Security AccessManager LDAP option is enabled ([ldap] enhanced-pwd-policy=yes). This LDAPoption must be supported for the particular LDAP registry type.

Options

filenamePage displayed when nsAccountLock is true for the user who has providedthe correct password during login.

Usage


Default value

None.

NOTE: The value for this option in the template configuration file isacct_locked.html.

Exampleaccount-inactivated = acct_locked.html

account-locked

Syntaxaccount-locked = filename

Description

Page displayed when the user authentication fails due to a locked user account.

Options

filenamePage displayed when the user authentication fails due to a locked useraccount.

Usage


Default value

acct_locked.html

Exampleaccount-locked = acct_locked.html

2 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference

allow-unauthenticated-logout

Syntaxallow-unauthenticated-logout = {yes|no}

Description

Determines whether unauthenticated users are able to request the pkmslogoutresource without authenticating first.

Options

yes Allow unauthenticated users to be able to request the pkmslogout resource.

no Unauthenticated users must authenticate before the pkmslogout resource isreturned.

Usage


Default value

no

Exampleallow-unauthenticated-logout = no

allowed-referersSyntaxallowed-referers = referer_filter

Description

For protection against cross-site request forgery (CSRF) attacks, you can configureWebSEAL to validate the HTTP Request referer header for all accountmanagement pages. WebSEAL uses the value provided for this configuration entryto determine whether the referrer host name in an incoming request is "valid".

If this entry is configured, when WebSEAL receives a request for an accountmanagement page, WebSEAL:1. Checks whether the referer header is present in the HTTP Request header.2. Validates the host name portion of that referrer against the allowed-referers

entries.

If WebSEAL finds that an incoming request does not match any of the configuredallowed-referers filters, the request fails and WebSEAL returns an error page.

Entries can contain the following wildcard characters:v * - match 0 or more characters.v ? - match any single character.v \ - Literal match of the following character.

Stanza reference 3

You can use the value %HOST% for this entry. This value is a special filter, whichindicates to WebSEAL that a referrer is "valid" if the host name portion of thereferer header matches the host header.

If there are no allowed-referers entries then WebSEAL does not complete thisvalidation.

Note: You can specify this entry multiple times to define multiple "allowed"referrer filters. WebSEAL uses all of these entries when validating the referrer.

For more information about referrer validation, search for "CSRF" in the IBMSecurity Web Gateway Appliance: Configuration Guide for Web Reverse Proxy.

Options

referer_filterSpecifies a filter for a referrer host name that WebSEAL can accept as"valid".

Usage

This stanza entry is optional.

Default value

None.

Example

The following entry matches any referrer host name that begins with the charactersac, followed by zero or more characters, and ends with the characters me.allowed-referers = ac*me

The following entry indicates that a referrer is "valid" if the host name portion ofthe referer header matches the host header.allowed-referers = %HOST%

cert-failure

Syntaxcert-failure = filename

Description

Page displayed when certificates are required and a client fails to authenticate witha certificate.

Options

filenamePage displayed when certificates are required and a client fails toauthenticate with a certificate.

Usage



Default value

certfailure.html

Examplecert-failure = certfailure.html

cert-stepup-http

Syntaxcert-stepup-http = filename

Description

WebSEAL displays this HTML page when a client attempts to increaseauthentication strength level (step-up) to certificates while using HTTP protocol.

Options

filenameWebSEAL displays this HTML page when a client attempts to increaseauthentication strength level (step-up) to certificates while using HTTPprotocol.

Usage


Default value

certstepuphttp.html

Examplecert-stepup-http = certstepuphttp.html

certificate-login

Syntaxcertificate-login = filename

Description

Form requesting client-side certificate authentication login.

This form is used only when the accept-client-certs key in the [certificate] stanza isset to prompt_as_needed.

Options

filenameForm requesting client-side certificate authentication login.

Usage

This stanza entry is required when delayed certificate authentication orauthentication strength level (step-up) for certificates is enabled.

Stanza reference 5

Default value

certlogin.html

Examplecertificate-login = certlogin.html

change-password-auth

Syntaxchange-password-auth = {yes|no}

Description

Enable this option to allow users to authenticate when changing a password.

Options

yes Enable.

no Disable.

Usage


Default value

no

Examplechange-password-auth = yes

client-notify-tod

Syntaxclient-notify-tod = {yes|no}

Description

Enable the display of an error page when authorization is denied due to a POPtime of day check. The error page is 38cf08cc.html.

Options

yes Enable.

no Disable.

Usage


Default value

no


Exampleclient-notify-tod = yes

enable-html-redirect

Syntaxenable-html-redirect = {yes|no}

Description

Configures WebSEAL to use the HTML redirect page to handle redirections ratherthan returning an HTTP 302 response redirect.

When a user successfully authenticates, WebSEAL typically uses an HTTP 302response to redirect the user back to the resource that was originally requested.

HTML redirection causes WebSEAL to send a static page back to the browserinstead of a 302 redirect. WebSEAL can then use the Java™Script or any other codethat is embedded in this static page to process the redirect.

You can use the html-redirect configuration entry, which is also in the [acnt-mgt]stanza, to specify the page that contains the HTML redirection.

For more information about HTML redirection, see the IBM Security Web GatewayAppliance: Configuration Guide for Web Reverse Proxy.

Note: If you enable this configuration entry, you must not specify a value for thelogin-redirect-page entry, which is also in the [acnt-mgt] stanza.

Options

yes Enable.

no Disable.

Usage


Default value

no

Exampleenable-html-redirect = no

enable-local-response-redirect

Syntaxenable-local-response-redirect = {yes|no}

Description

Enable or disable sending a redirection to a response application instead of servingmanagement or error pages from the local system.

Stanza reference 7

You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [acnt-mgt:{junction_name}] stanza.

where {junction_name} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction.

Options

yes Enable.

no Disable.

Usage


Default value

no

Exampleenable-local-response-redirect = no

enable-passwd-warn

Syntaxenable-passwd-warn = {yes|no}

Description

Enable WebSEAL to detect the attribute REGISTRY_PASSWORD_EXPIRE_TIME added toa users' credential when the LDAP password policy indicates that their passwordis soon to expire. The value of this attribute is the number of seconds until theirpassword expires. When this attribute is detected, at login to WebSEAL, apassword warning form will appear.

NOTE: This option must be set in order to use the associated options, which arealso in the [acnt-mgt] stanza: passwd-warn and passwd-warn-failure. Thecorresponding Security Access Manager LDAP option must be enabled ([ldap]enhanced-pwd-policy=yes) and supported for the particular LDAP registry type.

Options

yes Enable the detection of the REGISTRY_PASSWORD_EXPIRE_TIME to ultimatelywarn the user when their password is soon to expire.

no Disable the detection of the REGISTRY_PASSWORD_EXPIRE_TIME attribute.WebSEAL will not be able to notify users when their passwords are soonto expire.

Usage



Default value

The option will default to yes if it is not specified in the configuration file.

NOTE: The value for this option in the template configuration file is no.

Exampleenable-passwd-warn = yes

enable-secret-token-validationSyntaxenable-secret-token-validation = {true|false}

Description

Use this entry to enable secret token validation, which protects certain WebSEALaccount management pages against cross-site request forgery (CSRF) attacks. If youset this entry to true, WebSEAL adds a token to each session and validates the"token" query argument for the following account management requests:v /pkmslogin.formv /pkmslogoutv /pkmslogout-nomasv /pkmssu.formv /pkmsskipv /pkmsdisplacev /pkmspaswd.form

For example, you must change the /pkmslogout request topkmslogout?token=<value>, where <value> is the unique session token.

If secret token validation is enabled and the token argument is missing from therequest or does not match the session token, WebSEAL returns an error page. Formore information about secret token validation, search for "CSRF" in the IBMSecurity Web Gateway Appliance: Configuration Guide for Web Reverse Proxy.

Options

true WebSEAL uses secret token validation to protect against CSRF attacks.

Note: This setting modifies the URLs for the affected WebSEALmanagement pages. Each of these management requests must contain a"token" argument with the current session token.

false WebSEAL does not use secret token validation.

Usage


Default value

false

Exampleenable-secret-token-validation = true

Stanza reference 9

help

Syntaxhelp = filename

Description

Page containing links to valid administration pages.

Options

filenamePage containing links to valid administration pages.

Usage


Default value

help.html

Examplehelp = help.html

http-rsp-header

Syntaxhttp-rsp-header = header-name:macro

Description

Inserts custom headers whenever WebSEAL returns a custom response to theclient.

Options

header-nameThe name of the header that holds the value.

macro That type of value to be inserted. This parameter can be one of thefollowing values:v TAM_OPv AUTHNLEVELv ERROR_CODEv ERROR_TEXTv CREDATTR(<name>), where <name> is the name of the credential

attribute.v USERNAME

Usage



Note: You can specify this entry multiple times to include multiple headers in theresponse.

Default value

None.

Example

The following example inserts the Security Access Manager error code in aresponse header named tam-error-code:http-rsp-header = tam-error-code:ERROR_CODE

html-redirect

Syntaxhtml-redirect = filename

Description

Specifies the standard HTML redirection page.

Options

filenameStandard HTML redirection page.

Usage


Default value

redirect.html.

Examplehtml-redirect = redirect.html

login

Syntaxlogin = filename

Description

Standard login form.

Options

filenameStandard login form.

Usage


Stanza reference 11

Default value

login.html

Examplelogin = login.html

login-redirect-page

Syntaxlogin-redirect-page = destination

Description

Page to which users are automatically redirected after completing a successfulauthentication. The configured redirect destination can be either:v A server-relative Uniform Resource Locator (URL), orv An absolute URL, orv A macro which allows dynamic substitution of information from WebSEAL.

The supported macros include:

%AUTHNLEVEL%Level at which the session is currently authenticated.

%HOSTNAME%Fully qualified host name.

%PROTOCOL%The client connection protocol used. Can be HTTP or HTTPS.

%URL%The original URL requested by the client.

%USERNAME%The name of the logged in user.

%HTTPHDR{name}%The HTTP header that corresponds to the specified name. For example:%HTTPHDR{Host}%

%CREDATTR{name}%The credential attribute with the specified name. For example:%CREDATTR{tagvalue_session_index}%

Note: You cannot use this configuration entry if the enable-js-redirect entry (alsoin the [acnt-mgt] stanza) is set to yes. These redirects are not compatible with oneanother.

Options

destinationUniform Resource Locator (URL) to which users are automaticallyredirected after login, or a macro for dynamic substitution of informationfrom WebSEAL.

Usage



Default value

None.

Example

Example of a server relative URL:login-redirect-page = /jct/page.html

Example of an absolute URL:login-redirect-page = http://www.ibm.com/

Example that uses a macro:login-redirect-page = /jct/intro-page.html?level=%AUTHNLEVEL%&url=%URL%

login-success

Syntaxlogin-success = filename

Description

Page displayed after successful login.

Options

filenamePage displayed after successful login.

Usage


Default value

login_success.html

Examplelogin-success = login_success.html

logout

Syntaxlogout = filename

Description

Page displayed after successful logout.

Options

filenamePage displayed after successful logout.

Stanza reference 13

Usage


Default value

logout.html

Examplelogout = logout.html

passwd-change

Syntaxpasswd-change = filename

Description

Page containing a change password form.

Options

filenamePage containing a change password form.

Usage


Default value

passwd.html

Examplepasswd-change = passwd.html

passwd-change-failure

Syntaxpasswd-change-failure = filename

Description

Page displayed when password change request fails.

Options

filenamePage displayed when password change request fails.

Usage



Default value

passwd.html

Examplepasswd-change-failure = passwd.html

passwd-change-success

Syntaxpasswd-change-success = filename

Description

Page displayed when password change request succeeds.

Options

filenamePage displayed when password change request succeeds.

Usage


Default value

passwd_rep.html

Examplepasswd-change-success = passwd_rep.html

passwd-expired

Syntaxpasswd-expired = filename

Description

Page displayed when the user authentication fails due to an expired userpassword.

Options

filenamePage displayed when the user authentication fails due to an expired userpassword.

Usage


Default value

passwd_exp.html

Stanza reference 15

Examplepasswd-expired = passwd_exp.html

passwd-warn

Syntaxpasswd-warn = filename

Description

Page displayed after login if WebSEAL detects the LDAP password is soon toexpire.

NOTE: This option has no effect unless enable-passwd-warn (also in the[acnt-mgt] stanza) is set to yes and the corresponding Security Access ManagerLDAP option is also enabled ([ldap] enhanced-pwd-policy=yes). This LDAP optionmust be supported for the particular LDAP registry type.

Options

filenamePage displayed as a warning that the LDAP password is soon to expire.

Usage


Default value

None.

NOTE: The value for this option in the template configuration file ispasswd_warn.html.

Examplepasswd-warn = passwd_warn.html

passwd-warn-failure

Syntaxpasswd-warn-failure = filename

Description

Page displayed if the user fails to change their password after being notified thatthe LDAP password is soon to expire. This page gives the user another chance tochange their password and indicates the cause of the error.

NOTE: This option has no effect unless enable-passwd-warn (also in the[acnt-mgt] stanza) is set to yes and the corresponding Security Access ManagerLDAP option is also enabled ([ldap] enhanced-pwd-policy=yes). This LDAP optionmust be supported for the particular LDAP registry type.


Options

filenamePage displayed if the user does not change their password after receivingnotification that the LDAP password is soon to expire.

Usage


Default value

None.

NOTE: The value for this option in the template configuration file ispasswd_warn.html.

Examplepasswd-warn-failure = passwd_warn.html

redirect-to-root-for-pkms

Syntaxredirect-to-root-for-pkms = {yes|no}

Description

In older releases, WebSEAL would, in rare cases, redirect clients to the documentroot directory instead of returning the login success page following a successfulauthentication. This behavior was eliminated in later releases. Setredirect-to-root-for-pkms to yes to restore the previous behavior.

Options

yes Restore previous behavior.

no Maintain default behavior.

Usage


Default value

no

Exampleredirect-to-root-for-pkms = no

single-signoff-uri

Syntaxsingle-signoff-uri = URI

Stanza reference 17

Description

When a user session is terminated in WebSEAL, any sessions that might exist onbackend application servers are not destroyed. You can use this configuration entryto change this default behavior.

When a WebSEAL user session is terminated and this stanza entry is configured,WebSEAL sends a request to the resource specified by the configured URI. Therequest contains any configured headers and cookies for the junction point onwhich the resource resides. The backend application can use this information toterminate any sessions for that user.

Note: You can configure more than one single-sign-off-uri entry to send a requestto multiple URIs.

Options

URI

The resource identifier of the application that receives the single signoffrequest from WebSEAL.

Note: The URI must be server relative and correspond to a resource on astandard junction.

Usage


Default value

None.

Examplesingle-signoff-uri = /management/logoff

stepup-login

Syntaxstepup-login = filename

Description

Step-up authentication login form.

Options

filenameStep-up authentication login form.

Usage


Default value

stepuplogin.html


Examplestepup-login = stepuplogin.html

switch-user

Syntaxswitch-user = filename

Description

Switch user management form.

Options

filenameSwitch user management form.

Usage


Default value

switchuser.html

Exampleswitch-user = switchuser.html

temp-cache-response

Syntaxtemp-cache-response = filename

Description

The default page that WebSEAL returns if no URL redirect is supplied with thepkmstempsession request. The pkmstempsession page is accessed to achieve sessionsharing with Microsoft Office applications. For more information about sharingsessions with Microsoft Office applications, see the IBM Security Web GatewayAppliance: Configuration Guide for Web Reverse Proxy.

Options

filenameThe default page that WebSEAL returns for a pkmstempsession request.

Usage


Default value

temp_cache_response.html

Stanza reference 19

Exampletemp-cache-response = temp_cache_response.html

too-many-sessions

Syntaxtoo-many-sessions = filename

Description

Page displayed when a user has too many concurrent sessions and must eithercancel their new login or terminate the other sessions.

Options

filenamePage displayed when a user has too many concurrent sessions and musteither cancel their new login or terminate the other sessions.

Usage


Default value

too_many_sessions.html

Exampletoo-many-sessions = too_many_sessions.html

use-restrictive-logout-filenames

Syntaxuse-restrictive-logout-filenames = {yes|no}

Description

Control the restrictions normally enforced on the name of the /pkmslogout customresponse file.

Options

yes Use default restrictions to enforce the name of the /pkmslogout customresponse file.

no Only slash (/), backslash (\), characters outside of the ASCII range 0x20 -0x7E, and filenames that begin with a period (.) will be disallowed.

Usage


Default value

yes


Exampleuse-restrictive-logout-filenames = yes

use-filename-for-pkmslogout

Syntaxuse-filename-for-pkmslogout = {yes|no}

Description

Controls whether or not the appended query string (specifying a custom responsepage) in a pkmslogout command is used to override the default response page.

Options

yes Enables the operation of the query string. If a query string in apkmslogout URL specifies a custom response page, that custom page isused instead of the default page.

no Disables the operation of the query string. Any query string in apkmslogout URL that specifies a custom response page is ignored. Onlythe default response page is used upon logout.

Usage


Default value

no

Exampleuse-filename-for-pkmslogout = yes

[auth-cookies] stanza

cookie

Syntaxcookie = cookie-name

Description

Specifies HTTP cookies to be used for authentication.

Note: This option is enabled only when the http-headers-auth option in the[http-headers] stanza is configured for http, https, or both.

Options

cookie-nameName of HTTP cookie to be used for authentication.

Stanza reference 21

Usage


Default value

None.

Examplecookie = authcookie

[authentication-levels] stanza

level

Syntaxlevel = method-name

Description

Step-up authentication levels. WebSEAL enables authenticated users to increase theauthentication level by use of step-up authentication. This key=value pair specifieswhich step-up authentication levels are supported by this WebSEAL server.

Do not specify an authentication level unless the authentication method is enabled.For example, you must enable either basic authentication or forms authenticationbefore you set level = password.

Enter a separate key=value pair for each supported level. Supported levels include:v unauthenticatedv passwordv sslv ext-auth-interface

The position of the entry in the file dictates the associated authentication level. Thefirst row, typically unauthenticated, is associated with authentication level of 0.Each subsequent line is associated with the next higher level. You can add multipleentries for the same method.

It is possible for the method to set the authentication level itself. For example, anExternal Authentication Interface (EAI) implementation might set eitherauthentication level of 2 or 3 depending on the authentication transaction that theclient undertakes.

The EAI can set this authentication level directly in the identity attributes returnedto WebSEAL. To support this implementation, you can create two identical lines inpositions 3 and 4. For example:level = unauthenticated (associated with level 0)level = password (associated with level 1)level = ext-auth-interface (associated with level 2)level = ext-auth-interface (associated with level 3)


Options

method-nameName of authentication method.

Usage


Default value

unauthenticated

password

Examplelevel = unauthenticatedlevel = password

[aznapi-configuration] stanza

audit-attribute

Syntaxaudit-attribute = attribute

Description

Attributes to be audited.

Options

attributeAttributes to be audited.

Usage


Default value

tagvalue_su-admin

Exampleaudit-attribute = tagvalue_su-admin

auditcfg

Syntaxauditcfg = {azn|authn|http}

Description

Indicates the components for which auditing of events is configured. To enablecomponent specific audit records, add the appropriate definition.

Stanza reference 23

Options

azn Capture authorization events.

authn Capture authentication events.

http Capture HTTP events. These correspond to the events logged by therequest, referer, and agent logging clients.

Usage

This stanza entry is optional for WebSEAL. However, this stanza entry is requiredwhen auditing is enabled (logaudit = yes).

Default value

There is no default value for WebSEAL, because auditing is disabled by default.

Example

Create a separate stanza entry for each component to be activated. The componentsare included in the default configuration file but are commented out. To activate acommented out entry, remove the pound sign (#) from the start of the entry.

Example:auditcfg = azn#auditcfg = authn#auditcfg = http

auditlog

Syntaxauditlog = file_name

Description

Name of the audit trail file for WebSEAL.

Options

file_nameThe file name value represents an alphanumeric string.

Usage

This stanza entry is required when auditing is enabled.

Default value

aznapi_webseald-<instance_name>.log.

where:

<instance_name>The WebSEAL instance name. For example, default.

Exampleauditlog = aznapi_webseald-default.log


cache-refresh-interval

Syntaxcache-refresh-interval = {disable|default|number_of_seconds}

Description

Poll interval between checks for updates to the master authorization server.

Options

disableThe interval value in seconds is not set.

defaultWhen value is to default, an interval of 600 seconds is used.

number_of_secondsInteger value indicating the number of seconds between polls to the masterauthorization server to check for updates.

The minimum number of seconds is 0. There is no maximum value.

Usage


Default value

disable

Examplecache-refresh-interval = disable

cred-attribute-entitlement-services

Syntaxcred-attribute-entitlement-services = service-ID

Description

Enables the credential policy entitlements service.

Options

service-IDID of service.

Usage


Default value

TAM_CRED_POLICY_SVC

Stanza reference 25

Examplecred-attribute-entitlement-services = TAM_CRED_POLICY_SVC

dynamic-adi-entitlement-services

Syntaxdynamic-adi-entitlement-services = service-ID

Description

A list of configured entitlements service IDs that are queried by the rules engine ifmissing ADI is detected during an authorization rule evaluation.

Options

service-IDService ID that is queried by the rules engine if missing ADI is detectedduring an authorization rule evaluation.

Usage


Default value

None.

Exampledynamic-adi-entitlement-services = AMWebARS_A

input-adi-xml-prolog

Syntaxinput-adi-xml-prolog = prolog

Description

The prolog to be added to the top of the XML document that is created using theAuthorization Decision Information (ADI) needed to evaluate a booleanauthorization rule.

Options

prolog The prolog to be added to the top of the XML document that is createdusing the Authorization Decision Information (ADI) needed to evaluate aboolean authorization rule.

Usage


Default value

<?xml version=’1.0’ encoding=’UTF-8’?>


Exampleinput-adi-xml-prolog = <?xml version=’1.0’ encoding=’UTF-8’?>

listen-flags

Syntaxlisten-flags = {enable|disable}

Description

Enables or disables the reception by WebSEAL of policy cache update notificationsfrom the master authorization server.

Options

enableActivates the notification listener.

disableDeactivates the notification listener.

Usage


Default value

disable

Examplelisten-flags = enable

logaudit

Syntaxlogaudit = {yes|true|no|false}

Description

Enables or disables auditing.

Options

yes Enable auditing.

true Enable auditing.

no Disable auditing.

false Disable auditing.

Usage


Default value

no

Stanza reference 27

Examplelogaudit = no

logclientid

Syntaxlogclientid = webseald

Description

Name of the daemon whose activities are audited through use of authorization APIlogging.

Options

websealdName of the daemon whose activities are audited through use ofauthorization API logging.

Usage


Default value

webseald

Examplelogclientid = webseald

logcfg

Syntaxlogcfg = category:{stdout|stderr|file|remote|rsyslog}[ [parameter=value ][,parameter=value]...]

Description

Specifies event logging for the specified category.

Options

Specifies event logging for the specified category.

For WebSEAL, the categories are:

audit.aznAuthorization events.

audit.authnCredentials acquisition authentication.

http All HTTP logging information.

http.clfHTTP request information as defined by the request-log-formatconfiguration entry in the [logging] stanza.


http.refHTTP Referer header information.

http.agentHTTP User_Agent header information

{stdout|stderr|file|remote|rsyslog}Event logging supports a number of output destination types. WebSEALauditing typically is configured to use the file type.

parameter = value

Each event logging type supports a number of optional parameter = valueoptions.

For more information about output destination types and optionalparameter = value settings, see the IBM Security Access Manager for Web:Administration Guide.

Usage


Default value

None.

Example

Example entry for request.log (common log format) (entered as one line):logcfg = http.clf:file path=request_file,flush=time,rollover=max_size,log_id=httpclf,buffer_size=8192,queue_size=48

logflush

Syntaxlogflush = number_of_seconds

Description

Integer value indicating the frequency, in seconds, to force a flush of log buffers.

Options

number_of_seconds

The minimum value is 1 second.

The maximum value is 600 seconds.

Usage


Default value

20

Stanza reference 29

Examplelogflush = 20

logsize

Syntaxlogsize = number_of_bytes

Description

Integer value indicating the size limit of audit log files. The size limit is alsoreferred to as the rollover threshold. When the audit log file reaches this threshold,the original audit log file is renamed and a new log file with the original namewill be created.

Options

number_of_bytes

When the value is zero (0), no rollover log file is created.

When the value is a negative integer, the logs are rolled over daily,regardless of the size.

When the value is a positive integer, the value indicates the maximum size,in bytes, of the audit log file before the rollover occurs. The allowablerange is from 1 byte to 2 megabytes

Usage


Default value

2000000

Examplelogsize = 2000000

permission-info-returned

Syntaxpermission-info-returned = permission-attribute

Description

Specifies the permission information returned to the resource manager (forexample, WebSEAL) from the authorization service.

Options

permission-attribute

The azn_perminfo_rules_adi_request setting allows the authorizationservice to request ADI from the current WebSEAL client request. Theazn_perminfo_reason_rule_failed setting specifies that rule failure reasonsbe returned to the resource manager (this setting is required for –Rjunctions).


To enable the Privacy Redirection capabilities of the AMWebARS WebService, the azn_perminfo_amwebars_redirect_url must be included.

Usage


Default value

azn_perminfo_rules_adi_request azn_perminfo_reason_rule_failed

Examplepermission-info-returned = azn_perminfo_rules_adi_requestazn_perminfo_reason_rule_failed

policy-attr-separator

Syntaxpolicy-attr-separator = separator

Description

Specifies the character that WebSEAL uses for the following services:v Credential policy entitlements service.v Registry entitlements service.

Note: For the credential policy entitlements service to work properly, a user's DNcannot contain the specified separator. If the user DN contains this separator thenWebSEAL fails when attempting to retrieve the user's policy attributes.

Options

separator

The character that WebSEAL uses for the credential policy entitlementsservice and the registry entitlements service. Ensure that the chosencharacter is not present in any User DN values.

Usage


Default value

By default, WebSEAL uses colon (:) as the separator for these services.

Examplepolicy-attr-separator = #

policy-cache-size

Syntaxpolicy-cache-size = cache_size

Stanza reference 31

Description

The maximum size of the in-memory policy cache is configurable. The cacheconsists of policy and the relationships between policy and resources. Theknowledge that a resource has no directly associated policy is also cached.

Options

cache_size

The maximum cache size should be relative to the number of policy objectsdefined and the number of resources protected and the available memory.

A reasonable algorithm to begin with is: (number of policy objects * 3) +(number of protected resources * 3)

This value controls how much information is cached. A larger cache willpotentially improve the application performance but use additionalmemory as well.

Size is specified as the number of entries.

Usage


Default value

None.

Examplepolicy-cache-size = 32768

resource-manager-provided-adi

Syntaxresource-manager-provided-adi = prefix

Description

A list of string prefixes that identify Authorization Decision Information (ADI) tobe supplied by the resource manager (in this case, WebSEAL).

Options

prefix The default settings below tell the authorization engine that when itrequires ADI with the prefixes AMWS_hd_, AMWS_qs_ ,or AMWS_pb_ toevaluate a boolean authorization rule, and the ADI is not available ineither the credential or application context passed in with the accessdecision call, that the engine should fail the access decision and requestthat the resource manager retry the request and provide the required datain the application context of the next request.

Usage



Default value

AMWS_hd_, AMWS_pb_, AMWS_qs_

Exampleresource-manager-provided-adi = AMWS_hd_resource-manager-provided-adi = AMWS_pb_resource-manager-provided-adi = AMWS_qs_

xsl-stylesheet-prolog

Syntaxxsl-stylesheet-prolog = prolog

Description

The prolog to be added to the top of the XSL stylesheet that is created using theXSL text that defines a boolean authorization rule.

Options

prolog The prolog to be added to the top of the XSL stylesheet that is createdusing the XSL text that defines a boolean authorization rule.

Usage


Default value

<?xml version=’1.0’ encoding=’UTF-8’?> <xsl:stylesheet xmlns:xsl=’http://www.w3.org/1999/XSL/Transform’ version=’1.0’> <xsl:output method = ’text’omit-xml-declaration=’yes’ indent=’no’/> <xsl:template match=’text()’></xsl:template>

Examplexsl-stylesheet-prolog = <?xml version=’1.0’ encoding=’UTF-8’?><xsl:stylesheet xmlns:xsl=’http://www.w3.org/1999/XSL/Transform’version=’1.0’> <xsl:output method = ’text’ omit-xml-declaration=’yes’indent=’no’/> <xsl:template match=’text()’> </xsl:template>

[azn-decision-info] stanza

azn-decision-info

Syntax<attr-name> = <http-info>

Description

This stanza defines any extra information that is available to the authorizationframework when making authorization decisions. This extra information can beobtained from various elements of the HTTP request, namely:v HTTP methodv HTTP scheme

Stanza reference 33

v HTTP cookiesv Request URIv HTTP headersv POST data

If the requested element is not in the HTTP request, no corresponding attribute isadded to the authorization decision information.

Options

<attr-name>The name of the attribute that contains the HTTP information.

<http-info>The source of the information. It can be one of the following values:v methodv schemev uriv header:<header-name>v post-data:<post-data-name>v cookie:<cookie-name>

Usage


Default value

N/A

ExampleHTTP_REQUEST_METHOD = methodHTTP_HOST_HEADER= header:Host

[ba] stanza

ba-auth

Syntaxba-auth = {none|http|https|both}

Description

Enables authentication using the Basic Authentication mechanism.

When basic authentication is enabled, you must also configure an appropriateauthentication library by setting a key=value pair in the [authentication-mechanisms] stanza.

Options

{none|http|https|both}

Specifies which protocols are supported. The value both means both HTTPand HTTPS.


Usage


Default value

https

Exampleba-auth = https

basic-auth-realm

Syntaxbasic-auth-realm = Realm_name

Description

String value that specifies the realm name.

Options

Realm_name

This name is displayed in the browser's dialog box when the user isprompted for login information. The string must consist of ASCIIcharacters, and can contain spaces.

Usage


Default value

Access Manager

Examplebasic-auth-realm = Access Manager

[cdsso] stanza

authtoken-lifetime

Syntaxauthtoken-lifetime = number_of_seconds

Description

Positive integer that expresses the number of seconds for which the single signonauthentication token is valid.

Options

number_of_secondsMinimum value: 1. There is no maximum value.

Stanza reference 35

Usage


Default value

180

Exampleauthtoken-lifetime = 180

cdsso-argument

Syntaxcdsso-argument = argument_name

Description

Name of the argument containing the cross-domain single signon token in a querystring in a request. This is used to identify incoming requests that contain CDSSOauthentication information.

Options

argument_nameName of the argument containing the cross-domain single signon token ina query string in a request. Valid characters are any ASCII characters,except for question mark ( ? ), ampersand ( & ), and equals sign ( = ).

Usage


Default value

PD-ID

Examplecdsso-argument = PD-ID

cdsso-auth

Syntaxcdsso-auth = {none|http|https|both}

Description

Enables WebSEAL to accept tokens. Requires that an authentication mechanism isspecified for the token consume (sso-consume) library in the [authentication-mechanisms] stanza.

Options

{none|http|https|both}Specifies which protocols are supported. The value both means both HTTPand HTTPS.


Usage


Default value

none

Examplecdsso-auth = none

cdsso-create

Syntaxcdsso-create = {none|http|https|both}

Description

Enables WebSEAL to accept tokens. Requires that an authentication mechanism isspecified for the token create (sso-create) library in the [authentication-mechanisms] stanza.

Options


Usage


Default value

none

Examplecdsso-create = none

clean-cdsso-urls

Syntaxclean-cdsso-urls = {yes|no}

Description

The cdsso-argument (PD-ID) and PD-REFERER query string arguments can bepassed to junctions. When this option is set to yes, these will be removed from theURI before the request is passed to the junction.

Options

yes The argument containing the CDSSO token in a request query string andthe PD-REFERER query string argument are removed from the URI beforethe request is passed to the junction.

Stanza reference 37

no The CDSSO and PD-REFERER arguments are not removed from the URIbefore the request is passed to the junction.

Usage


Default value

no

Exampleclean-cdsso-urls = no

propagate-cdmf-errors

Syntaxpropagate-cdmf-errors = {yes|no}

Description

Controls subsequent behavior of the token creation process when thecdmf_get_usr_attributes call fails to obtain the required extended attributeinformation and returns an error.

Options

yes A "yes" value forces the token creation process to abort when CDMF failsto obtain attributes and returns an error.

no A "no" value (default) allows the token creation process to proceed evenwhen CDMF fails to obtain attributes and returns an error.

Usage

This stanza entry is not required.

Default value

no

Examplepropagate-cdmf-errors = no

use-utf8

Syntaxuse-utf8 = {true|false}

Description

Use UTF–8 encoding for tokens used in cross domain single signon. Beginningwith version 5.1, WebSEAL servers use UTF-8 encoding by default. For moreinformation about multi-locale support with UTF-8, see the IBM Security WebGateway Appliance: Configuration Guide for Web Reverse Proxy.


Options

true When this stanza entry is set to true, tokens can be exchanged with otherWebSEAL servers that use UTF-8 encoding. This configuration enablestokens to be used across different code pages (such as for a differentlanguage).

false For backward compatibility with tokens created by WebSEAL servers fromversion prior to 5.1, set this stanza entry to false.

Usage


Default value

true

Exampleuse-utf8 = true

[cdsso-incoming-attributes] stanza

attribute_pattern

Syntaxattribute_pattern = {preserve|refresh}

Description

Attributes to accept from incoming CDSSO authentication tokens.

The attributes typically match those declared in the [cdsso-token-attributes] stanzafor the WebSEAL server in the source domain.

The attribute_pattern can be either a specific value or can be a pattern that usesstandard Security Access Manager wildcard characters ( *, [], ^, \, ?).

The order of attribute_pattern entries is important. The first entry that matches theattribute is used. Other entries are ignored.

Options

preserveAttributes matching a preserve entry, or matching none of the entries, arekept. If no entries are configured, then all attributes are kept.

refreshAttributes in CDSSO authentication tokens that match a refresh entry areremoved from the token before the CDMF library is called to map theremote user into the local domain.

Usage


Stanza reference 39

Default value

None.

Examplemy_cred_attr1 = preserve

[cdsso-peers] stanza

fully_qualified_hostname

Syntaxfully_qualified_hostname = key_file

Description

List of peer servers that are participating in cross-domain single-sign on.

Options

key_fileThe name of server's key file.

Usage


Default value

None.

Examplewebhost2.ibm.com = cdsso.key

[cdsso-token-attributes] stanza

<default>

Syntax<default> = pattern1[<default> = pattern2 ]...[<default> = patternN]

Description

Credential attributes to include in CDSSO authentication tokens.

When WebSEAL cannot find a domain_name entry to match the domain, the entriesin <default> are used. The word <default> is a key word and must not bemodified.


Options

pattern The value for each <default> entry can be either a specific value or can bea pattern that uses standard Security Access Manager wildcard characters (*, [], ^, \, ?).

Usage


Default value

None.

Example<default> = my_cdas_attr_*

domain_name

Syntaxdomain_name = pattern1[domain_name = pattern2]...[domain_name = patternN]

Description

Credential attributes to include in CDSSO authentication tokens.

Options

domain_nameThe domain_name specifies the destination domain containing the serverthat will consume the token.

pattern The value for each domain_name entry can be either a specific value or canbe a pattern that uses standard Security Access Manager wildcardcharacters ( *, [], ^, \, ?).

Usage


Default value

None.

Exampleexample1.com = my_cdas_attr_*example1.com = some_exact_attribute

Stanza reference 41

[certificate] stanza

accept-client-certs

Syntaxaccept-client-certs = {never|required|optional|prompt_as_needed}

Description

Specifies how to handle certificates from HTTPS clients.

When certificate authentication is enabled, you must also configure an appropriateauthentication library by setting a key=value pair in the [authentication-mechanisms] stanza.

Options

never Never request a client certificate

requiredAlways request a client certificate. Do not accept the connection if theclient does not present a certificate. When this value is set to required, allother authentication settings are ignored for HTTPS clients.

optionalAlways request a client certificate. If presented, use it.

prompt_as_neededDo not prompt for a client certificate until the client attempts to access aresource that requires certificate authentication.

Note: When this value is set, ensure that the ssl-id-sessions stanza entryin the [session] stanza is set to no.

Usage


Default value

never

Exampleaccept-client-certs = never

cert-cache-max-entries

Syntaxcert-cache-max-entries = number_of_entries

Description

Maximum number of concurrent entries in the Certificate SSL ID cache.


Options

number_of_entriesThere is no absolute maximum size for the cache. However, the size of thecache cannot exceed the size of the SSL ID cache. A maximum size of 0allows an unlimited cache size.

Usage

This stanza entry is required only when the accept-client-certs key is set toprompt_as_needed.

Default value

1024

Examplecert-cache-max-entries = 1024

cert-cache-timeout

Syntaxcert-cache-timeout = number_of_seconds

Description

Maximum lifetime, in seconds, for an entry in the Certificate SSL ID cache.

Options

number_of_secondsThe minimum value is zero (0). A value of zero mean that when the cacheis full, the entries are cleared based on a Least Recently Used algorithm.

Usage

This stanza entry is required only when the accept-client-certs key is set toprompt_as_needed.

Default value

120

Examplecert-cache-timeout = 120

cert-prompt-max-tries

Syntaxcert-prompt-max-tries = number_of_tries

Description

During certificate authentication, WebSEAL prompts the browser to present theclient's certificate. The SSL certificate negotiation process requires that the browseropen and use a new (not existing) TCP connection.

Stanza reference 43

Browsers typically maintain several open TCP connections to a given server. WhenWebSEAL tries to prompt the browser for a certificate, the browser often tries toreuse an existing TCP connection instead of opening a new TCP connection.Therefore, the prompting process must be retried. WebSEAL might need to promptfor a certificate several times before the browser opens a new TCP connection andallows the prompting process to succeed.

This configuration option controls how many times WebSEAL attempts to beginthe SSL certificate negotiation process with the browser before assuming the clientcannot provide a certificate.

Options

number_of_tries

Set the value to 5 because most browsers maintain a maximum of fourTCP connections to a Web server. As each attempt by the browser toprocess the certificate prompts on an existing TCP connection fails, thatTCP connection is closed. On the fifth attempt, with all TCP connectionsclosed, the browser's only option is to open a new TCP connection.

If the value is set to less to 5, intermittent failures of certificateauthentication might occur because the browser reuses existing TCPconnections instead of opening a new TCP connection. These failures aremore likely to occur in environments where login or other pages containimages that browsers access immediately before triggering the certificateprompts.

Values less than 2 or greater than 15 are not permitted.

This value is not used unless accept-client-certs =prompt_as_needed.

Usage


Default value

5

Examplecert-prompt-max-tries = 5

disable-cert-login-page

Syntaxdisable-cert-login-page = {yes|no}

Description

Determines whether the initial login page with an option to prompt for certificateis presented or if WebSEAL will bypass the page and directly prompt for thecertificate.


Options

yes The initial login page with an option to prompt for certificate is notpresented; instead, WebSEAL bypasses this page and directly prompts forthe certificate.

no The initial login page with an option to prompt for certificate is presented.

Usage


Default value

no

Exampledisable-cert-login-page = no

eai-data

Syntaxeai-data = data:header_name

Description

The client certificate data elements that will be passed to the EAI application.Multiple pieces of client certificate data can be passed to the EAI application byincluding multiple eai-data configuration entries.

Options

header_nameUsed to indicate the name of the HTTP header which will contain the data.

data Used to indicate the data that will be included in the header. It should beone of the following:v Base64Certificatev SerialNumberv SubjectCNv SubjectLocalityv SubjectStatev SubjectCountryv SubjectOrganizationv SubjectOrganizationalUnitv SubjectDNv SubjectPostalCodev SubjectEmailv SubjectUniqueIDv IssuerCNv IssuerLocalityv IssuerStatev IssuerCountry

Stanza reference 45

v IssuerOrganizationv IssuerOrganizationUnitv IssuerDNv IssuerPostalCodev IssuerEmailv IssuerUniqueIDv Versionv SignatureAlgorithmv ValidFromv ValidFromExv ValidTov ValidToExv PublicKeyAlgorithmv PublicKeyv PublicKeySizev FingerprintAlgorithmv Fingerprint

Usage

This stanza entry is required for EAI based client certificate authentication.

Default value

no

Exampleeai-data = SubjectCN:eai-cneai-data = SubjectDN:eai-dn

eai-uri

Syntaxeai-uri = uri

Description

The resource identifier of the application which will be invoked to perform thecertificate authentication. This URI should be relative to the root web space of theWebSEAL server. If this configuration entry is not defined, the standard CDASauthentication mechanism will be used to handle the authentication.

Options

uri The resource identifier of the application which will be invoked to performthe certificate authentication. This URI should be relative to the root webspace of the WebSEAL server.

Usage

This stanza entry is required for EAI based client certificate authentication.


Default value

no

Exampleeai-uri = /jct/cgi-bin/eaitest/eaitest.pl

[cert-map-authn] stanza

debug-level

Syntaxdebug-level = level

Description

Controls the trace level for the authentication module.

Options

level Specifies the initial trace level, with 1 designating a minimal amount oftracing and 9 designating the maximum amount of tracing.

Note: You can also use the Security Access Manager pdadmin tracecommands to modify the trace level by using the trace component name ofpd.cas.certmap. This trace component is only available after the first HTTPrequest is processed.

Usage


Default value

0

Note: A debug level of 0 results in no tracing output.

Exampledebug-level = 5

rules-file

Syntaxrules-file = file-name

Description

The name of the rules file that the CDAS can use for certificate mapping.

Options

file-nameThe name of the rules file for the certificate mapping CDAS.

Stanza reference 47

Usage


Default value

None.

Examplerules-file = cert-rules.txt

[cfg-db-cmd:entries] stanza

stanza::entry

Syntaxstanza::entry = {include|exclude}

Description

Specifies the configuration entries that will be imported or exported from theconfiguration database using the cfgdb server task commands. Each configurationentry is checked sequentially against each item in the [cfg-db-cmd:entries] stanzauntil a match is found. This first match then controls whether the configurationentry is included in, or excluded from, the configuration database. If no match isfound, the configuration entry is excluded from the configuration database.

Syntax

entry This field defines the stanza entry to be included or excluded. It maycontain any pattern matching characters.

stanza This field defines the stanza containing the data entry to be included orexcluded. It may contain any pattern matching characters.

Options

includeInclude the specified configuration entries when importing or exportingdata from the configuration database using the cfgdb server taskcommands.

excludeExclude the specified configuration entries when importing or exportingdata from the configuration database using the cfgdb server taskcommands.

Usage


Default value

WebSEAL uses the values configured in the WebSEAL configuration file. See theWebSEAL configuration file template for the default entries.


Exampleserver::unix-root = includeldap::* = exclude*::* = include

[cfg-db-cmd:files] stanza

files

Syntax

Either:files = cfg(stanza::entry)

Or:files = file_name

Description

Defines the files that will be included (that is, imported or exported ) in theconfiguration database using the cfgdb server task commands.

Options

stanza This field specifies the name of the stanza that contains the entry with thename of the file to be included in the configuration database. Theconfiguration value defined by stanza and entry must contain the name ofthe file.

entry This field specifies the stanza entry that contains the name of the file to beincluded in the configuration database. The configuration value defined bystanza and entry must contain the name of the file.

file_nameThe name of the file.

Usage


Default valuefile = cfg(ssl::webseal-cert-keyfile)file = cfg(ssl::webseal-cert-keyfile-stash)file = cfg(junction::jmt-map)file = cfg(server::dynurl-map)

Examplefile = cert-rules.txtfile = jmt.conffile = cfg(junction::jmt-map)

[cluster] stanza

Notes:

Stanza reference 49

v It is vital that this configuration stanza is not included in the configurationdatabase. The cluster::* = exclude configuration entry in the[cfg-db-cmd:entries] stanza ensures this exclusion.

v In addition to the configuration entries listed here, a config-version entry isadded at run time in a clustered environment. This configuration entry containsversion information about the current configuration. Do NOT manually edit thisversion information.

v All cluster members must be the same server type. You can cluster either:– WebSEAL servers that are running on Web Gateway appliances.– WebSEAL servers that are running on standard operating systems.

is-master

Syntaxis-master = {yes|no}

Description

Is this server the master for the WebSEAL cluster? You need to have a singlemaster for each cluster. Any modifications to the configuration of a cluster must bemade on the master.

Options

yes

This server is the master for the WebSEAL cluster.

no This server is not the master for the WebSEAL cluster. The name of themaster server must be specified in the master-name configuration entrythat is also in the [cluster] stanza.

Usage

This stanza entry is required in a clustered environment. This stanza entry is notrequired for a single server environment.

Default value

There is no default value.

Exampleis-master = no

master-name

Syntaxmaster-name = azn-name

Description

Defines the authorization server name of the master for the WebSEAL cluster.


Options

azn-name

The authorization server name of the master.

Usage

This stanza entry is required if the value for is-master (also in the [cluster]stanza) is set to no. If the is-master entry is set to yes, WebSEAL ignores thismaster-name entry.

Default value

There is no default value.

Examplemaster-name = default-webseald-master.ibm.com

max-wait-time

Syntaxmax-wait-time = number

Description

Specifies the maximum amount of time to wait, in seconds, for a slave server to berestarted. This configuration entry is only applicable to the master server.

Options

number

The maximum number of seconds to wait for a slave server to be restarted.

Usage

This configuration entry is required if is-master (also in the [cluster] stanza) is setto yes.

Default value

60

Examplemax-wait-time = 60

[compress-mime-types] stanza

mime_type

Syntaxmime_type = minimum_doc_size:[compression_level]

Stanza reference 51

Description

Enables or disables HTTP compression based on the mime-type of the responseand the size of the returned document.

Options

mime_typeThe mime_type can contain a wild card pattern such as an asterisk ( * ) forthe subtype, or it can be "*/*" to match all mime-types.

minimum_doc_sizeThe minimum_doc_size is an integer than can be positive, negative or zero.A size of -1 means do not compress this mime-type. A size of 0 means tocompress the document regardless of its size. A size greater than 0 meansto compress the document only when its initial size is greater than or equalto minimum_doc_size.

compression_levelThe compression_level is an integer value between 1 and 9. The largernumber results in a higher amount of compression. Whencompression-level is not specified, a default level of 1 is used.

Usage


Default value

*/* = -1

Exampleimage/* = -1text/html = 1000

[compress-user-agents] stanza

pattern

Syntaxpattern = {yes|no}

Description

Enables or disables HTTP compression based on the user-agent header sent byclients. This entry is used to disable compression for clients which send an"accept-encoding: gzip" HTTP header but do not actually handle gzipcontent-encodings properly. An example of a user agent is a browser, such asMicrosoft Internet Explorer 6.0

Options

yes Enables HTTP compression based on the user-agent header sent by clients.

no Disables HTTP compression based on the user-agent header sent by clients.


Usage


Default value

None.

Example*MSIE 6.0* = yes

[content] stanza

utf8-template-macros-enabled

Syntaxutf8-template-macros-enabled = {yes|no}

Description

Specifies how standard WebSEAL HTML files, such as login.html, have datainserted into them when %MACRO% strings are encountered.

This entry affects files in the management and errors directories. You can managethese directories from the Manage Reverse Proxy Management Root page of theLMI.

WebSEAL HTML pages use a UTF-8 character set by default. If you modify thecharacter set to specify the local code page, set this entry to no.

Options

yes When set to yes, data is inserted in UTF-8 format.

no When set to no, data is inserted in the local code page format.

Usage


Default value

yes

Exampleutf8-template-macros-enabled = yes

[content-cache] stanza

MIME_type

SyntaxMIME_type = cache_type:cache_size:maximum_age

Stanza reference 53

Description

List of entries that define the caches which WebSEAL uses to store documents inmemory.

Options

MIME_typeAny valid MIME type conveyed in an HTTP Content-Type: responseheader. This value may contain an asterisk to denote a wildcard ( * ). Avalue of */* represents a default object cache that holds any object thatdoes not correspond to an explicitly configured cache.

cache_typeDefines the type of backing store to use for the cache. Only memory cachesare supported.

cache_sizeThe maximum size, in kilobytes, to which the cache grows before objectsare removed according to a least-recently-used algorithm. The minimumallowable value is 1 kilobyte. WebSEAL reports an error and fails to start ifthe value is less than or equal to zero (0). WebSEAL does not impose amaximum allowable value.

def-max-ageSpecifies the maximum age (in seconds) if expiry information is missingfrom the original response. If no value is provided, a default maximum ageof 3600 (one hour) will be applied. The configured default maximum age isonly used when the cached response is missing the cache control headers:Cache-Control, Expires, and Last-Modified.

Note: If only Last-Modified is present, the maximum age will be calculatedas ten percent of the difference between the current time and thelast-modified time.

Usage


Default value

None.

Exampletext/html = memory:2000:3600# image/* = memory:5000:3600# */* = memory:1000:3600

[content-encodings] stanza

extension

Syntaxextension = encoding_type


Description

Entries in this stanza map a document extension to an encoding type. Thismapping is used by WebSEAL to report the correct MIME type in its responsecontent-type header for local junction files. This mapping is necessary so thatWebSEAL can communicate to a browser that encoded (binary) data is beingreturned.

The MIME types defined in this stanza must also be defined in[content-mime-types].

When WebSEAL encounters a document with two extensions, such as: .txt.Z, itproduces two headers:content-type: text/plaincontent-encoding: x-compress

Thus even though the data is compressed, the response to the browser saystext/plain. However, the extra content-encoding header tells the browser that thedata is compressed text/plain.

In most cases, the administrator does not need to add additional entries. However,if the administrator introduces a new extension type that requires more than atext/plain response, the extension and encoding_type should be added to this stanza.

Options

encoding_typeEncoding type.

Usage


Default valuegz = x-gzipZ = x-compress

Examplegz = x-gzipZ = x-compress

[content-index-icons] stanza

type

Syntaxtype = relative_pathname

Description

Entries in this stanza specify icons to use in directory indices. Therelative_pathname is the path name to the location of the icon.

Administrators can add additional entries. The type must refer to valid MIMEtypes. The wildcard character (*) is limited to entries of one collection of MIME

Stanza reference 55

types. For example, image/*. No further wildcard expansion is done. For a list ofMIME types, see the [content-mime-types] stanza.

The relative_pathname can be any valid URI within the WebSEAL protected objectspace, as defined in doc-root.

Options

type The type indicates a wildcard pattern for a collection of MIME types.

relative_pathnameThe path name is relative to the WebSEAL protected object space, as set inthe doc-root entry in the [content] stanza.

Usage

The entries in this stanza are optional.

Default value

The WebSEAL configuration file provides the following default entries:image/* = /icons/image2.gifvideo/* = /icons/movie.gifaudio/* = /icons/sound2.giftext/html = /icons/generic.giftext/* = /icons/text.gifapplication/x-tar = /icons/tar.gifapplication/* = /icons/binary.gif

Exampleimage/* =/icons/image2.gif

[credential-policy-attributes] stanza

policy-name

Syntaxpolicy-name = credential-attribute-name

Description

Controls which Access Manager policy values are stored in credentials duringauthentication

Options

credential-attribute-nameCredential attribute name.

Usage


Default value

None.


ExampleAZN_POLICY_MAX_FAILED_LOGIN = tagvalue_max_failed_login

[credential-refresh-attributes] stanza

attribute_name_pattern

Syntaxattribute_name_pattern = {preserve|refresh}

Description

Specifies whether a attribute, or group of attributes that match a pattern, should bepreserved or refreshed during a credential refresh.

Options

preserveOriginal attribute value preserved in new credential.

refreshOriginal attribute value refreshed in new credential.

Usage


Default value

preserve

Exampletagvalue_* = preserve

authentication_level

Syntaxauthentication_level = {preserve|refresh}

Description

Specifies whether the authentication level for the user should be preserved orrefreshed during a credential refresh. The authentication level can reflect the resultsof an authentication strength policy (step-up authentication). In most cases, thislevel should be preserved during a credential refresh.

Options

preserveOriginal attribute value preserved in new credential.

refreshOriginal attribute value refreshed in new credential.

Stanza reference 57

Usage


Default value

preserve

Exampleauthentication_level = preserve

[dsess] stanza

dsess-sess-id-pool-size

Syntaxdsess-sess-id-pool-size = number

Description

The maximum number of session IDs that are pre-allocated within the replica set.

Note: This option is used by the [dsess-cluster] stanza.

Options

numberThe maximum number of session IDs that are pre-allocated within thereplica set.

Usage

This stanza entry is required when:[session]dsess-enabled = yes

Default value

125

Exampledsess-sess-id-pool-size = 125

dsess-cluster-name

Syntaxdsess-cluster-name = SMS cluster name

Description

Specifies the name of the SMS cluster to which this SMS server belongs.


Options

SMS cluster nameThe name of the SMS cluster to which this SMS server belongs. This fieldmust be defined and reference an existing dsess-cluster stanza qualified bythe value of this entry.

Usage


Default value

dsess

Exampledsess-cluster-name = dsess

[dsess-cluster] stanza

basic-auth-user

Syntaxbasic-auth-user = user_name

Description

Specifies the name of the user that is included in the basic authentication header.

Options

user_nameThe user name to be included in the basic authentication header.

Usage

This stanza entry is optional

Default value

None

Examplebasic-auth-user = user_name

basic-auth-passwd

Syntaxbasic-auth-passwd = password

Description

Specifies the password that is included in the basic authentication header.

Stanza reference 59

Options

passwordThe password to be included in the basic authentication header.

Usage


Default value

None

Examplebasic-auth-passwd = password

gsk-attr-name

Syntaxgsk-attr-name = {enum | string | number}:id:value

Description

Specify additional GSKit attributes to use when initializing an SSL connection withthe Session Management Server (SMS). A complete list of the available attributes isincluded in the GSKit SSL API documentation. This configuration entry can bespecified multiple times. Configure a separate entry for each GSKit attribute.

Options

{enum | string | number}The GSKit attribute type.

id The identity associated with the GSKit attribute.

value The value for the GSKit attribute.

Usage


You cannot configure the following restricted GSKit attributes:GSK_KEYRING_FILEGSK_KEYRING_STASH_FILEGSK_KEYRING_LABELGSK_CIPHER_V2GSK_V3_CIPHER_SPECSGSK_PROTOCOL_TLSV1GSK_FIPS_MODE_PROCESSING

If you attempt to modify any of these attributes then an error message will begenerated.

Default value

None.


Example

The following entry is for the GSKit attribute GSK_HTTP_PROXY_SERVER_NAME, whichhas an identity value of 225:gsk-attr-name = string:225:proxy.ibm.com

See also

“gsk-attr-name” on page 284“jct-gsk-attr-name” on page 287“gsk-attr-name” on page 313

handle-idle-timeout

Syntaxhandle-idle-timeout = number

Description

Limits the length of time that a handle remains idle before it is removed from thehandle pool cache.

Options

numberThe length of time, in seconds, before an idle handle will be removed fromthe handle pool cache.

Usage


Default value

240

Examplehandle-idle-timeout = 240

handle-pool-size

Syntaxhandle-pool-size = number

Description

The maximum number of idle Simple Access Object Protocol (SOAP) handles thatthe dsess client will maintain at any given time.

Options

numberThe maximum number of idle SOAP handles that the dsess client willmaintain at any given time.

Stanza reference 61

Usage


Default value

10

Examplehandle-pool-size = 10

response-by

Syntaxresponse-by = seconds

Description

The length of time (in seconds) that the dsess client will block to wait for updatesfrom the Session Management Server (SMS).

Options

secondsThe length of time (in seconds) that the dsess client will block to wait forupdates from the SMS.

Usage


Default value

60

Exampleresponse-by = 60

server

Syntaxserver = {[0-9],}<URL>

Description

Specifies a priority level and URL for each SMS server that is a member of thiscluster. Multiple server entries can be specified for a given cluster.


Options

0-9 A digit, 0-9, that represents the priority of the server within the cluster (9being the highest, 0 being the lowest). If the priority is not specified, apriority of 9 is assumed.

Note: There can be no space between the comma (,) and the URL. If nopriority is specified, the comma is omitted.

URL A well-formed HTTP or HTTPS uniform resource locator for the server.

Usage


Default value

This entry is disabled by default.

Exampleserver = 9,http://sms.example.com/DSess/services/DSess

ssl-fips-enabled

Syntaxssl-fips-enabled = {yes|no}

Description

Determines whether Federal Information Process Standards (FIPS) mode is enabledon the session management server. If no configuration entry is present, the settingfrom the global setting—as determined by the ssl-fips-enabled entry in the [ssl]stanza of the policy server—takes effect. When set to "yes" or the setting in thepolicy server configuration file is set to "yes", Transport Layer Security (TLS)version 1 (TLSv1) is the secure communication protocol used. When set to "no" orthe setting in the policy server configuration file is set to "no", SSL version 3(SSLv3) is the secure communication protocol used.

Options

yes Indicates that TLSv1 is the secure communication protocol.

no Indicates that SSLv3 is the secure communication protocol.

Usage


Default value

None.

If a different FIPS level than that of the policy server is required, it is theresponsibility of the administrator to edit the configuration file, uncomment thestanza entry, and specify this value.

Stanza reference 63

Examplessl-fips-enabled = yes

ssl-keyfile

Syntaxssl-keyfile = file_name

Description

The name of the key database file, which houses the client certificate to be used.

Options

file_nameThe name of the key database file that houses the client certificate forWebSEAL to use.

Usage

This stanza entry is only required if one or more of the cluster server URLsspecified in the server entries uses SSL (that is, contains an HTTPS protocolspecification in the URL). If no cluster server uses the HTTPS protocol, this entry isnot required. If this entry is required but is not specified in the [dsess-cluster]stanza, the value will be taken from the global [ssl] stanza.[session]dsess-enabled = yes

Default value

None.

Examplessl-keyfile = file_name

ssl-keyfile-label

Syntaxssl-keyfile-label = label_name

Description

The label of the client certificate within the key database.

Options

label_nameClient certificate label name.

Usage



Note: If this entry is required but is not specified in the [dsess-cluster] stanza, thevalue will be taken from the global [ssl] stanza.

Default value

None.

Examplessl-keyfile-label = label_name

ssl-keyfile-stash

Syntaxssl-keyfile-stash = file_name

Description

The name of the password stash file for the key database file.

Options

file_nameThe password stash file.

Usage


Note: If this entry is required but is not specified in the [dsess-cluster] stanza,the value will be taken from the global [ssl] stanza.

Default value

None.

Examplessl-keyfile-stash = file_name

ssl-valid-server-dn

Syntaxssl-valid-server-dn = certificate_DN

Description

Specifies the DN of the server (obtained from the server SSL certificate) that isaccepted. If no entry is configured, any valid certificate signed by a CA in the keyfile is accepted.

Options

value Specifies the DN of the server (obtained from the server SSL certificate)that is accepted. If no entry is configured, any valid certificate signed by aCA in the key file is accepted.

Stanza reference 65

Usage


Default value

None.

Examplessl-valid-server-dn = value

timeout

Syntaxtimeout = seconds

Description

The length of time (in seconds) to wait for a response to be received back from theSMS.

Options

secondsThe length of time (in seconds) to wait for a response to be received backfrom the SMS.

Usage


Default value

30

Exampletimeout = 30

[eai] stanza

eai-auth

Syntaxeai-auth = {none|http|https|both}

Description

Enables the external authentication interface.


Options

{none|http|https|both}Enables the external authentication interface. No other externalauthentication interface parameters will take effect if set to "none".

Usage


Default value

none

Exampleeai-auth = none

eai-auth-level-header

Syntaxeai-auth-level-header = header-name

Description

Specifies the name of the header that contains the authentication strength level forthe generated credential.

Options

header-nameThe name of the header that contains the authentication strength level forthe generated credential.

Usage


Default value

am-eai-auth-level

Exampleeai-auth-level-header = am-eai-auth-level

eai-flags-header

Syntaxeai-flags-header = header-name

Description

Specifies the name of the header that 'flags' the authentication response with extraprocessing information. WebSEAL supports the following header values as flags:

Stanza reference 67

streamCauses WebSEAL to stream the EAI authentication response back to theclient.

For more details, see the information about external authentication interfaceauthentication flags in the IBM Security Web Gateway Appliance: Configuration Guidefor Web Reverse Proxy.

Options

header-nameThe name of EAI flags header.

Usage


Default value

am-eai-flags

Exampleeai-flags-header = am-eai-flags

eai-pac-header

Syntaxeai-pac-header = header-name

Description

Specifies the name of Privilege Attribute Certificate (PAC) header that containsauthentication data returned from the external authentication interface server.

Options

header-nameThe name of privilege attribute certificate (PAC) header that containsauthentication data returned from the external authentication interfaceserver.

Usage


Default value

am-eai-pac

Exampleeai-pac-header = am-eai-pac

eai-pac-svc-header

Syntaxeai-pac-svc-header = header-name


Description

Specifies the name of the header that contains the service ID that is used to convertthe PAC into a credential.

Options

header-nameThe name of the header that contains the service ID that is used to convertthe PAC into a credential.

Usage


Default value

am-eai-pac-svc

Exampleeai-pac-svc-header = am-eai-pac-svc

eai-redir-url-header

Syntaxeai-redir-url-header = header-name

Description

Specifies the name of the header that contains the URL a client is redirected toupon successful authentication.

Options

header-nameThe name of the header that contains the URL a client is redirected toupon successful authentication.

Usage


Default value

am-eai-redir-url

Exampleeai-redir-url-header = am-eai-redir-url

eai-session-id-header

Syntaxeai-session-id-header = header-name

Stanza reference 69

Description

The name of the header that contains the session identifier of the distributedsession to be shared across multiple DNS domains.

Options

header-nameThe session identifier of the distributed session to be shared acrossmultiple DNS domains.

Usage


Default value

am-eai-session-id

Exampleeai-session-id-header = am-eai-session-id

eai-user-id-header

Syntaxeai-user-id-header = header-name

Description

Specifies the name of the header that contains the ID of the user used whengenerating a credential.

Options

header-nameThe name of the header that contains the ID of the user used whengenerating a credential.

Usage


Default value

am-eai-user-id

Exampleeai-user-id-header = am-eai-user-id

eai-verify-user-identity

Syntaxeai-verify-user-identity = {yes|no}


Description

During the EAI re-authentication process, this configuration entry determineswhether the new user identity must match the user identity from the previousauthentication.

Options

yes During EAI authentication, the new user identity is compared with theuser identity from the previous authentication. If the user identities do notmatch, an error is returned.

no EAI authentication proceeds without verifying the new user identity.

Usage


Default value

no

Exampleeai-verify-user-identity = yes

eai-xattrs-header

Syntaxeai-xattrs-header = header-name[,header-name...]

Description

Specifies a comma-delimited list of header names. WebSEAL examines the responsefor headers with the specified names and creates extended attributes using thename of the header as the attribute name and the value of the header as theattribute value.

For example, if the following headers are returned in the HTTP response:am-eai-xattrs: creditcardexpiry, streetaddresscreditcardexpiry: 090812streetaddress: 555 homewood lane

WebSEAL will:1. Examine the am-eai-xattrs header2. Detect two headers to look for in the response3. Find those headers and their values4. Add the two specified attributes to the credential

Options

header-name[,header-name...]One or more (comma delimited) header names that are added to thecredential as extended attributes.

Stanza reference 71

Usage


Default value

am-eai-xattrs

Exampleeai-xattrs-header = am-eai-xattrs

retain-eai-session

Syntaxretain-eai-session = {yes|no}

Description

Specifies whether the existing session and session cache entry for a client areretained or replaced when an already-authenticated EAI client authenticatesthrough an EAI a second time.

Options

yes If an already-authenticated EAI client authenticates through an EAI asecond time, the existing session and session cache entry for the client areretained, and the new credential is stored in the existing cache entry.

no If an already-authenticated EAI client authenticates through an EAI asecond time, the existing session and session cache entry for the client arecompletely replaced and the new credential is stored in the new cacheentry.

Usage


Default value

no

Exampleretain-eai-session = no

[eai-trigger-urls] stanza

trigger

Syntaxtrigger = url-pattern

Description

Format for standard WebSEAL junctions. Specifies the trigger URL that causesWebSEAL to set a special flag on the request. Responses to this request also


contain the flag, which causes WebSEAL to intercept and examine the response forauthentication data located in special HTTP headers.

Options

url-patternThe trigger URL (format for standard WebSEAL junctions) that causesWebSEAL to set a special flag on the request.

Usage

There must be at least one entry when eai-auth is not "none".

Default value

None.

Exampletrigger = /jct/cgi-bin/eaitest/*

trigger

Syntaxtrigger = HTTP[S]://virtual-host-name[:port_number]/url-pattern

Description

Format for virtual host junctions. Specifies the trigger URL that causes WebSEAL toset a special flag on the request. Responses to this request also contain the flag,which causes WebSEAL to intercept and examine the response for authenticationdata located in special HTTP headers.

For virtual host junctions to match a trigger, they must use the same protocol andthe same virtual-host-name and port number as the trigger.

Options

HTTP[S]://virtual-host-name[:port_number]/url-patternThe trigger URL (format for virtual host junctions) that causes WebSEAL toset a special flag on the request.

Usage

There must be at least one entry when eai-auth is not "none".

Default value

None.

Exampletrigger = HTTPS://vhost1.example.com:4344/jct/cgi-bin/eaitest/*

Stanza reference 73

[e-community-domains] stanza

name

Syntaxname = domain

Description

The e-community cookie domains used by virtual host junctions. The domain usedby a particular virtual host junction is chosen by finding the longest domain in thetable that matches the virtual host name. Each of these domains must also have acorresponding table of keys defined by creating a stanza of the format[e-community-domain-keys:domain].

Options

domain The e-community cookie domain used by virtual host junctions.

Usage


Default value

None.

Example

name = www.example.com

[e-community-domain-keys] stanza

domain_name

Syntaxdomain_name = key_file

Description

File names for keys for any domains that are participating in the e-community.This includes the domain in which the WebSEAL server is running. These areshared on a pair-wise-by-domain basis.

Options

domain_nameA domain that is participating in the e-community.

key_fileFile name for key for any domain that is participating in the e-community.

Usage



Default value

None.

Exampleecssoserver.subnet.example.com = ecsso.key

[e-community-domain-keys:domain] stanza

domain_name

Syntaxdomain_name = key_file

Description

Keys for any domains that are participating in the e-community, including thedomain in which the virtual host junction is running. These are shared on apair-wise-by-domain basis.

Options

domain_nameDomain that is participating in the e-community, including the domain inwhich the virtual host junction is running.

key_fileKey for any domain that is participating in the e-community, including thedomain in which the virtual host junction is running.

Usage


Default value

None.

Example[e-community-domain-keys:www.example.com]ecssoserver.subnet.example.com = ecsso.key

[e-community-sso] stanza

cache-requests-for-ecsso

Syntaxcache-requests-for-ecsso = {yes|no}

Description

Specifies whether or not to cache request data from an unauthenticated requestwhile the e-community master authentication server (MAS) authenticates the user.

Stanza reference 75

Options

yes If an unauthenticated request is made, the request data is cached while thee-community master authentication server (MAS) authenticates the user.

no If an unauthenticated request is made, the request data is not cached whilethe e-community master authentication server (MAS) authenticates theuser. The original request data will be lost.

Usage


Default value

yes

Examplecache-requests-for-ecsso = yes

e-community-name

Syntaxe-community-name = name

Description

String value that specifies an e-community name. When e-community singlesignon is supported, this name must match any vouch-for tokens or e-communitycookies that are received.

Options

name String value that specifies an e-community name. The string must notcontain the equals sign ( = ) or ampersand ( & ).

Usage


Default value

None.

Examplee-community-name = company1

disable-ec-cookie

Syntaxdisable-ec-cookie = {yes|no}

Description

Provides an option to override default e-Community Single Sign-On (eCSSO)behavior and prohibit WebSEAL from using e-community-cookies.


Options

yes Prohibits WebSEAL from using the e-community-cookie; only the masterauthentication server (MAS) will be permitted to generate vouch-fortokens.

no The default eCSSO behavior in WebSEAL is left unchanged.

Usage


Default value

no

Exampledisable-ec-cookie = no

e-community-sso-auth

Syntaxe-community-sso-auth = {none|http|https|both}

Description

Enables participation in e-community single signon.

Options


Usage


Default value

none

Examplee-community-sso-auth = none

ec-cookie-domain

Syntaxec-cookie-domain = domain

Description

If not set, WebSEAL uses the domain from the automatically determined host name(or web-host-name if specified).

Stanza reference 77

Options

domain If not set, WebSEAL uses the domain from the automatically determinedhost name (or web-host-name if specified).

Usage

If not set, WebSEAL uses the domain from the automatically determined host name(or web-host-name if specified).

Default value

None.

Exampleec-cookie-domain = www.example.com

ec-cookie-lifetime

Syntaxec-cookie-lifetime = number_of_minutes

Description

Positive integer value indicating the lifetime of an e-community cookie.

Options

number_of_minutesPositive integer value indicating the lifetime, in minutes, of ane-community cookie. Minimum value is 1. There is no maximum value.

Usage


Default value

300

Exampleec-cookie-lifetime = 300

ecsso-allow-unauth

Syntaxecsso-allow-unauth = {yes|no}

Description

Enables or disables unauthenticated access to unprotected resources on ane-community SSO slave server.

Options

yes The value yes enables unauthenticated access.


no The value no disables access. For compatibility with versions of WebSEALprior to version 5.1 set this value to no.

Usage


Default value

yes

Exampleecsso-allow-unauth = yes

ecsso-propagate-errors

Syntaxecsso-propagate-errors = {yes|no}

Description

Specifies whether authentication errors returned by the master-authn-server invouch-for tokens are propagated to the ERROR_CODE and ERROR_TEXT macrosused by facilities such as local response redirect.

Options

yes Authentication errors are propagated to ERROR_CODE and ERROR_TEXTmacros.

no Authentication errors are not propagated to ERROR_CODE andERROR_TEXT macros.

Usage


Default value

no

Exampleecsso-propagate-errors = no

handle-auth-failure-at-mas

Syntaxhandle-auth-failure-at-mas = {yes|no}

Description

Provides an option to override default eCSSO behavior and allow the MAS tohandle login failures without redirecting the Web browser back to the requestinghost.

Stanza reference 79

Options

yes Enables the MAS to handle login failures directly without redirecting theWeb browser back to the requesting host.

no The default eCSSO behavior in WebSEAL is left unchanged. On a loginfailure, the MAS will generate a vouch-for token and redirect the Webbrowser back to the requesting host.

Usage


Default value

no

Examplehandle-auth-failure-at-mas = no

is-master-authn-server

Syntaxis-master-authn-server = {yes|no}

Description

Specifies whether this WebSEAL server accepts vouch-for requests from otherWebSEAL instances. The WebSEAL instances must have domain keys listed in the[e-community-domain-keys] stanza.

Options

yes This WebSEAL server accepts vouch-for requests from other WebSEALinstances. When this value is yes, this WebSEAL server is the masterauthentication server.

no This WebSEAL server does not accept vouch-for requests from otherWebSEAL instances.

Usage


Default value

None.

Exampleis-master-authn-server = no

master-authn-server

Syntaxmaster-authn-server = fully_qualified_hostname


Description

Location of the master authentication server. This value must be specified whenis-master-authn-server is set to no. If a local domain login has not been performedthen authentication attempts are routed through the master machine. The mastermachine will vouch for the user identity. The domain key for themaster-authn-server needs to be listed in the [e-community-domain-keys] stanza.

Options

fully_qualified_hostnameLocation of the master authentication server.

Usage


Default value

None.

Examplemaster-authn-server = diamond.dev.example.com

master-http-port

Syntaxmaster-http-port = port_number

Description

Integer value specifying the port number on which the master-authn-server listensfor HTTP request. The setting is necessary when e-community-sso-auth permitsuse of the HTTP protocol, and the master-authn-server listens for HTTP requestson a port other than the standard HTTP port (port 80). This stanza entry is ignoredif this WebSEAL server is the master authentication server.

Options

port_numberInteger value specifying the port number on which themaster-authn-server listens for HTTP request.

Usage


Default value

None.

Examplemaster-http-port = 81

Stanza reference 81

master-https-port

Syntaxmaster-https-port = port_number

Description

Integer value specifying the port number on which the master-authn-server listensfor HTTPS requests. The setting is necessary when e-community-sso-auth permitsuse of the HTTPS protocol, and the master-authn-server listens for HTTPS requestson a port other than the standard HTTPS port (port 443). This stanza entry isignored if this WebSEAL server is the master authentication server.

Options

port_numberInteger value specifying the port number on which themaster-authn-server listens for HTTPS requests.

Usage


Default value

None.

Examplemaster-https-port = 444

propagate-cdmf-errors

Syntaxpropagate-cdmf-errors = {yes|no}

Description

Controls subsequent behavior of the token creation process when thecdmf_get_usr_attributes call fails to obtain the required extended attributeinformation and returns an error.

Options

yes A "yes" value forces the token creation process to abort when CDMF failsto obtain attributes and returns an error.

no A "no" value (default) allows the token creation process to proceed evenwhen CDMF fails to obtain attributes and returns an error.

Usage


Default value

no


Examplepropagate-cdmf-errors = no

use-utf8

Syntaxuse-utf8 = {yes|no}

Description

Use UTF–8 encoding for tokens used in e-community single signon.

Options

yes Beginning with version 5.1, WebSEAL servers use UTF-8 encoding bydefault. When this stanza entry is set to yes, tokens can be exchanged withother WebSEAL servers that use UTF-8 encoding. This enables tokens toused across different code pages (such as for a different language).

no For backward compatibility with tokens created by WebSEAL servers fromversion prior to 5.1, set this stanza entry to no.

Usage


Default value

yes

Exampleuse-utf8 = yes

vf-argument

Syntaxvf-argument = vouch-for_token_name

Description

String value containing the name of the vouch-for token contained in a vouch-forreply. This is used to construct the vouch-for replies by the master authenticationserver, and to distinguish incoming requests as ones with vouch-for information byparticipating e-community single signon servers.

Options

vouch-for_token_nameValid characters for the string are ASCII characters except for ampersand (& ), equals sign ( = ), and question mark ( ? ).

Usage


Stanza reference 83

Default value

PD-VF

Examplevf-argument = PD-VF

vf-token-lifetime

Syntaxvf-token-lifetime = number_of_seconds

Description

Positive integer indicating the lifetime, in seconds, of the vouch-for token. This isset to account for clock skew between participant servers.

Options

number_of_secondsPositive integer indicating the lifetime, in seconds, of the vouch-for token.The minimum value is 1 second. There is no maximum value.

Usage


Default value

180

Examplevf-token-lifetime = 180

vf-url

Syntaxvf-url = URL_designation

Description

Designator for vouch-for URL. This specifies the start of a URL relative to theserver root. This is used to construct vouch-for requests for participatinge-community single signon servers, and to distinguish requests for vouch-forinformation from other requests by the master authentication server.

Options

URL_designationThe URL_designation string can contain alphanumeric characters and thefollowing special characters: dollar sign ( $ ), hyphen ( - ), underscore ( _ ),period ( . ), plus sign ( + ), exclamation point ( ! ), asterisk ( * ), singlequote ( ' ), parentheses " ( ) " and comma ( , ). Questions marks ( ? ) arenot allowed.


Usage


Default value

When the stanza entry is not present in the configuration file, the default value is/pkmsvouchfor.

Examplevf-url = /pkmsvouchfor

[ecsso-incoming-attributes] stanza

attribute_pattern

Syntaxattribute_pattern = {preserve|refresh}

Description

Extended attributes to extract from incoming eCSSO authentication tokens.

The attributes typically match those declared in the [cdsso-token-attributes] stanzafor the WebSEAL server in the source domain.

The attribute_pattern can be either a specific value or can be a pattern that usesstandard Security Access Manager wildcard characters ( *, [], ^, \, ?).

The order of attribute_pattern entries is important. The first entry that matches theattribute is used. Other entries are ignored.

Options

preserveAttributes in eCSSO vouch-for tokens that match a "preserve" entry, ormatching none of the entires, are kept. If no entries are configured, then allattributes are kept.

refreshAttributes in eCSSO vouch-for tokens that match a "refresh" entry areremoved from the token before the CDMF library is called to map theremote user into the local domain.

Usage


Default value

None.

Examplemy_cred_attr1 = preserve

Stanza reference 85

[ecsso-token-attributes] stanza

<default>

Syntax<default> = pattern1[<default> = pattern2]...[<default> = patternN]

Description

Credential attributes to include in eCSSO authentication tokens. When WebSEALcannot find a domain_name entry to match the domain, the entries in "<default>"are used. The word <default> is a key word and must not be modified.

Options

pattern The pattern can either be a specific value or a pattern that uses standardSecurity Access Manager wildcard characters ( *, [], ^, \, ?).

Usage


Default value

None.

Example<default> = my_cdas_attr_*

domain_name

Syntaxdomain_name = pattern1[domain_name = pattern2]...[domain_name = patternN]

Description

Credential attributes to include in eCSSO authentication tokens.

Options

domain_nameThe domain_name specifies the destination domain containing the serverthat will consume the token.

pattern The pattern for each entry can either a specific value or can be a patternthat uses standard Security Access Manager wildcard characters ( *, [], ^, \,?).

Usage



Default value

None.

Exampleexample1.com = my_cdas_attr_*example1.com = some_exact_attribute

[enable-redirects] stanza

redirect

Syntaxredirect = {forms-auth|basic-auth|cert-auth|ext-auth-interface}

Description

Enables redirection for use with one or more authentication mechanism.

Options

{forms-auth|basic-auth|cert-auth|ext-auth-interface}Redirection is supported for:v Forms authenticationv Basic authenticationv Certificate authenticationv External authentication interface

The configuration file must contain a separate entry for each authenticationmechanism for which redirection is enabled.

Usage


Default value

None.

Example

Example entries that enables redirection for forms authentication and basicauthentication:redirect = forms-authredirect = basic-auth

[failover] stanza

clean-ecsso-urls-for-failover

Syntaxclean-ecsso-urls-for-failover = {yes|no}

Stanza reference 87

Description

You can enable Failover Authentication and eCSSO in your environment. Duringfailover authentication, if a user was originally authenticated using eCSSO,WebSEAL updates the URL that it sends to the back-end server. WebSEAL sendsPD-VFHOST and PD-VF tokens as query arguments, along with the original URL.

Use the clean-ecsso-urls-for-failover configuration entry to control whetherthese tokens are removed from the URL.

Options

yes The query arguments that contain the PD-VFHOST and PD-VF tokens areremoved from the URL.

no The query arguments that contain the PD-VFHOST and PD-VF tokens arenot removed from the URL.

Usage


Default value

no

Exampleclean-ecsso-urls-for-failover = no

enable-failover-cookie-for-domain

Syntaxenable-failover-cookie-for-domain = {yes|no}

Description

Enables the failover cookie for the domain.

Options

yes Enables the failover cookie for the domain.

no Disables the failover cookie for the domain.

Usage


Default value

no

Exampleenable-failover-cookie-for-domain = no


failover-auth

Syntaxfailover-auth = {none|http|https|both}

Description

Enables WebSEAL to accept failover cookies.

Options


Usage


Default value

none

Examplefailover-auth = none

failover-cookie-lifetime

Syntaxfailover-cookie-lifetime = number_of_minutes

Description

An integer value specifying the number of minutes that failover cookie contentsare valid.

Options

number_of_minutesAn integer value specifying the number of minutes that failover cookiecontents are valid. Must be a positive integer. There is no maximum value.

Usage


Default value

60

Examplefailover-cookie-lifetime = 60

Stanza reference 89

failover-cookies-keyfile

Syntaxfailover-cookies-keyfile = file_name

Description

A key file for failover cookie encryption. Use the SSO Keys management page ofthe LMI to generate this file.

Options

file_nameName of the key file for failover cookie encryption.

Usage


Default value

None.

Examplefailover-cookies-keyfile = failover.key

failover-include-session-id

Syntaxfailover-include-session-id = {yes|no}

Description

Enable or disable WebSEAL to reuse a client's original session ID to improvefailover authentication response and performance in a non-sticky load-balancingenvironment. WebSEAL reuses the original session ID by storing the ID as anextended attribute to the failover cookie.

Options

yes Enable WebSEAL to reuse a client's original session ID to improve failoverauthentication response and performance in a non-sticky load-balancingenvironment.

no Disable WebSEAL to reuse a client's original session ID to improve failoverauthentication response and performance in a non-sticky load-balancingenvironment.

Usage


Default value

no


Examplefailover-include-session-id = no

failover-require-activity-timestamp-validation

Syntaxfailover-require-activity-timestamp-validation = {yes|no}

Description

Enables or disables the requirement of a session activity timestamp validation inthe failover cookie.

Options

yes Enables the requirement of a session activity timestamp validation in thefailover cookie.

no Disables the requirement of a session activity timestamp validation in thefailover cookie. For backward compatibility with versions of WebSEALserver prior to version 5.1, set this stanza entry to no. Versions prior toversion 5.1 did not create the session activity timestamp in the failovercookie.

Usage


Default value

no

Examplefailover-require-activity-timestamp-validation = no

failover-require-lifetime-timestamp-validation

Syntaxfailover-require-lifetime-timestamp-validation = {yes|no}

Description

Enables or disables the requirement of a session lifetime timestamp validation inthe failover cookie.

Options

yes Enables the requirement of a session lifetime timestamp validation in thefailover cookie.

no Disables the requirement of a session lifetime timestamp validation in thefailover cookie. For backward compatibility with versions of WebSEALserver prior to version 5.1, set this stanza entry to no. Versions prior toversion 5.1 did not create the session lifetime timestamp in the failovercookie.

Stanza reference 91

Usage


Default value

no

Examplefailover-require-lifetime-timestamp-validation = no

failover-update-cookie

Syntaxfailover-update-cookie = number_of_seconds

Description

The maximum interval, in number of seconds, allowed between updates of thesession activity timestamp in the failover cookies. The value is an integer. Whenthe server receives a request, if the number of seconds specified for this parameterhas passed, the session activity timestamp is updated.

Options

number_of_secondsWhen the value is 0, the session activity timestamp is updated on everyrequest. When the value is less than zero (negative number), the sessionactivity timestamp is never updated. There is no maximum value.

Usage


Default value

-1

Examplefailover-cookie-update = 60

reissue-missing-failover-cookie

Syntaxreissue-missing-failover-cookie = {yes|no}

Description

Allows WebSEAL to reissue a cached original failover cookie in the response to aclient, if the client makes a request that does not include the failover cookie.

Options

yes Enables the failover cookie reissue mechanism.

no Disables the failover cookie reissue mechanism.


Usage


Default value

no

Examplereissue-missing-failover-cookie = no

use-utf8

Syntaxuse-utf8 = {yes|no}

Description

Use UTF–8 encoding for strings in the failover authentication cookie.

Options

yes Beginning with version 5.1, WebSEAL servers use UTF-8 encoding bydefault. When this stanza entry is set to yes, cookies can be exchangedwith other WebSEAL servers that use UTF-8 encoding. This enables cookiesto used across different code pages (such as for a different language).

no For backward compatibility with cookies created by WebSEAL servers fromversion prior to 5.1, set this stanza entry to no.

Usage


Default value

yes

Exampleuse-utf8 = yes

[failover-add-attributes] stanza

attribute_pattern

Syntaxattribute_pattern = add

Description

List of attributes from the original credential that must be preserved in the failovercookie.

The order of entries in the stanza is important. Rules (patterns) that appear earlierin the stanza take precedence over those that appear later in the stanza. Attributes

Stanza reference 93

that do not match any pattern will not be added to the failover cookie.

Options

attribute_patternThe attribute pattern is a not case-sensitive wildcard pattern.

add Add attribute.

Usage

Entries in this stanza are optional.

Default value

There are no default entries in this stanza. However, the attributesAUTHENTICATION_LEVEL and AZN_CRED_AUTH_METHOD are added to the failover cookieby default. These attributes do not need to be included in the configuration stanza.

Exampletagvalue_failover_amweb_session_id = add

session-activity-timestamp

Syntaxsession-activity-timestamp = add

Description

This entry specifies that the timestamp for the last user activity be taken from thefailover cookie and added to the new session on the replicated server.

This attribute cannot be specified by pattern matching. This entry must be addedexactly as it is written.

Options

add Add attribute.

Usage

This stanza entry is optional and must be manually added to the configuration file.

Default value

None.

Examplesession-activity-timestamp = add

session-lifetime-timestamp

Syntaxsession-lifetime-timestamp = add


Description

This entry specifies that the timestamp for creation of the original session be takenfrom the failover cookie and added to the new session on the replicated server.

This attribute cannot be specified by pattern matching. This entry must be addedexactly as it is written.

Options

add Add attribute.

Usage

This stanza entry is optional and must be manually added to the configuration file.

Default value

None.

Examplesession-lifetime-timestamp = add

[failover-restore-attributes] stanza

attribute_pattern

Syntaxattribute_pattern = preserve

Description

List of attributes to put in the new credential when recreating a credential from afailover cookie.

The order of entries in the stanza is important. Rules (patterns) that appear earlierin the stanza take precedence over those that appear later in the stanza. Attributesthat do not match any pattern will not be added to the credential.

Options


preserveWhen WebSEAL recreates a credential, all failover cookie attributes areignored unless specified by an entry with the value preserve.

Usage


Default value

None.

Stanza reference 95

Exampletagvalue_failover_amweb_session_id = preserve

attribute_pattern

Syntaxattribute_pattern = refresh

Description

A list of failover cookie attributes to omit from the recreated user credential.

This list is not needed in all configurations. The default behavior when recreating auser credential is to omit all attributes that are not specified with a value ofpreserve. In some cases it might be necessary to specify an exception to a wildcardpattern matching, to ensure that a specific attribute gets refreshed, not preserved.This specification might be necessary, for example, when using a custom externalauthentication C API module.

The order of entries in the stanza is important. Rules (patterns) that appear earlierin the stanza take precedence over those that appear later in the stanza. Attributesthat do not match any pattern will not be added to the credential.

Options


refreshSpecifies an exception to a wildcard pattern matching, to ensure that aspecific attribute gets refreshed, not preserved.

Usage


Default value

None.

Exampletagvalue_failover_amweb_session_id = refresh

[filter-content-types] stanza

type

Syntaxtype = type_name

Description

List of entries that specify MIME types to be filtered by WebSEAL when receivedfrom junctioned servers.


Administrators can add additional MIME types that refer to a document thatcontains HTML or HTML-like content.

Options

type_nameMIME type.

Usage

This list of stanza entries is required.

Default value

Do not remove the default entries.type = text/htmltype = text/vnd.wap.wml

Exampletype = text/htmltype = text/vnd.wap.wml

[filter-events] stanza

HTML_tag

SyntaxHTML_tag = event_handler

Description

List of HTML tags used by WebSEAL to identify and filter absolute URLsembedded in JavaScript. JavaScript allows HTML tags to contain event handlers thatare invoked when certain events occur. For example, the HTML tag:<form onsubmit="javascript:doSomething()">

causes the JavaScript function doSomething() to be called when the form issubmitted.

The entries in this stanza are used to identify HTML tags that may containJavaScript code. When such a tag is discovered, WebSEAL searches the tag to filterany absolute URLs embedded in the JavaScript. For example, if the "formonsubmit" example looked like:<form onsubmit="javaScript:doSomething(’http://junction.server.com’)">

WebSEAL HTML filtering would modify the tag to look like:<form onsubmit="javaScript:doSomething(’/junction’)">

Administrators can add additional entries when necessary. New entries mustconsist of valid HTML tags that are built into JavaScript. When adding newentries, maintain alphabetical order.

Stanza reference 97

Options

HTML_tagHTML tag.

event_handlerJavaScript event handler.

Usage

This list is required. Although not all tags are required by all applications, theunused tags do no harm. Leave the default entries in this list.

Default value

Default HTML tags and event handlers:A = ONCLICKA = ONDBLCLICKA = ONMOUSEDOWNA = ONMOUSEOUTA = ONMOUSEOVERA = ONMOUSEUPAREA = ONCLICKAREA = ONMOUSEOUTAREA = ONMOUSEOVERBODY = ONBLURBODY = ONCLICKBODY = ONDRAGDROPBODY = ONFOCUSBODY = ONKEYDOWNBODY = ONKEYPRESSBODY = ONKEYUPBODY = ONLOADBODY = ONMOUSEDOWNBODY = ONMOUSEUPBODY = ONMOVEBODY = ONRESIZEBODY = ONUNLOADFORM = ONRESETFORM = ONSUBMITFRAME = ONBLURFRAME = ONDRAGDROPFRAME = ONFOCUSFRAME = ONLOADFRAME = ONMOVE

FRAME = ONRESIZEFRAME = ONUNLOADIMG = ONABORTIMG = ONERRORIMG = ONLOADINPUT = ONBLURINPUT = ONCHANGEINPUT = ONCLICKINPUT = ONFOCUSINPUT = ONKEYDOWNINPUT = ONKEYPRESSINPUT = ONKEYUPINPUT = ONMOUSEDOWNINPUT = ONMOUSEUPINPUT = ONSELECTLAYER = ONBLURLAYER = ONLOADLAYER = ONMOUSEOUTLAYER = ONMOUSEOVER


SELECT = ONBLURSELECT = ONCHANGESELECT = ONFOCUSTEXTAREA = ONBLURTEXTAREA = ONCHANGETEXTAREA = ONFOCUSTEXTAREA = ONKEYDOWNTEXTAREA = ONKEYPRESSTEXTAREA = ONKEYUPTEXTAREA = ONSELECT

ExampleIMG = ONABORT

[filter-request-headers] stanza

header

Syntaxheader = header_name

Description

List of HTTP headers that WebSEAL filters before sending the request to ajunctioned server. A default list is built-in to WebSEAL. The default entries are notincluded in the configuration file.

The addition of new entries in this stanza is optional. For example, anadministrator could add the accept-encoding header. This would instructWebSEAL to remove any accept-encoding headers from requests before forwardingthe request to the junction. The removal of the accept-encoding header wouldcause the junction server to return the document in an unencoded form, allowingWebSEAL to filter the document if necessary.

New entries must consist of valid HTTP headers.

Options

header_nameHTTP header name.

Usage

The addition of new entries in this stanza is optional.

Default value

Default built-in header list:hostconnectionproxy-connectionexpectteiv-ssl-jctiv-useriv_useriv-groupsiv_groups

Stanza reference 99

iv-credsiv_credsiv_remote_addressiv-remote-address

Exampleheader = accept-encoding

[filter-schemes] stanza

scheme

Syntaxscheme = scheme_name

Description

List of URL schemes that are not to be filtered by WebSEAL. A scheme is a protocolidentifier.

This list is utilized when WebSEAL encounters a document containing a base URL.For example:<head><base href="http://www.foo.com"></head><a href="mailto:[email protected]>Send me mail",/a>

WebSEAL identifies the scheme mailto because this scheme is included by defaultin the [filter-schemes] stanza. If mailto was not identified as a scheme, WebSEALwould interpret it as document and perform normal filtering. WebSEAL wouldthen rewrite the link as:<a href="http://www.foo.com/mailto:[email protected]"

This would be incorrect.

Options

scheme_nameScheme name.

Usage

WebSEAL provides a set of default schemes. The administrator can extend the listif additional protocols are used. Do not delete entries from the list.

Default value

Default list entries:scheme = filescheme = ftpscheme = httpsscheme = mailtoscheme = newsscheme = telnet


Examplescheme = telnet

[filter-url] stanza

HTML_tag

SyntaxHTML_tag = URL_attribute

Description

List of URL attributes that WebSEAL server filters in responses from junctionedservers.

Administrators can add additional entries when necessary. New entries mustconsist of valid HTML tags and attributes. When adding new entries, maintainalphabetical order.

Options

URL_attributeURL attribute.

Usage

This list is required. Although not all tags are required by all applications, theunused tags do no harm. Leave the default entries in this list.

Default value

Default HTML tags and attributes:A = HREFAPPLET = CODEBASEAREA = HREFBASE = HREFBGSOUND = SRCBLOCKQUOTE = CITEBODY = BACKGROUNDDEL = CITEDIV = EMPTYURLDIV = IMAGEPATHDIV = URLDIV = VIEWCLASSEMBED = PLUGINSPAGEEMBED = SRCFORM = ACTIONFRAME = LONGDESCFRAME = SRCHEAD = PROFILEIFRAME = LONGDESCIFRAME = SRCILAYER = BACKGROUNDILAYER = SRCIMG = SRCIMG = LOWSRCIMG = LONGDESCIMG = USEMAPIMG = DYNSRC

Stanza reference 101

INPUT = SRCINPUT = USEMAPINS = CITEISINDEX = ACTIONISINDEX = HREFLAYER = BACKGROUNDLAYER = SRCLINK = HREFLINK = SRCOBJECT = CODEBASEOBJECT = DATAOBJECT = USEMAPQ = CITESCRIPT = SRCTABLE = BACKGROUNDTD = BACKGROUNDTH = BACKGROUNDTR = BACKGROUNDWM:CALENDARPICKER = FOLDERURLWM:CALENDARPICKER = IMAGEPREVARROWWM:CALENDARPICKER = IMAGENEXTARROWWM:CALENDARVIEW = FOLDERURLWM:MESSAGE = DRAFTSURLWM:MESSAGE = URLWM:NOTIFY = FOLDERWM:REMINDER = FOLDER?IMPORT = IMPLEMENTATION

ExampleIMG = SRC

[flow-data] stanza

flow-data-enabledSyntaxflow-data-enabled = {yes|no}

Description

The appliance can record statistical information about incoming WebSEAL requests.Use this parameter to enable or disable the recording of flow data statistics.

If you set this parameter to yes, you can also use the flow-data-stats-intervalparameter in the [flow-data] stanza to set the frequency for gathering statistics.

Note: You can configure the [user-agent] stanza to categorize the incominguser-agent requests and make the statistical data more useful. You can then view astatistical breakdown of all requests based on user-agent and junction.

Options

yes WebSEAL records statistics about incoming requests.

no WebSEAL does not record statistics about incoming requests.

Usage



Default value

yes

Exampleflow-data-enabled = yes

flow-data-stats-intervalSyntaxflow-data-stats-interval = number_of_seconds

Description

This parameter determines how frequently the appliance collects flow datastatistics. This parameter specifies the statistics interval in seconds. At each timeinterval, WebSEAL records statistical information about incoming requests. Thedefault value of 600 records statistics every 10 minutes.

To gather statistics at the specified interval, you must use the flow-data-enabledparameter, also in the [flow-data] stanza, to enable the flow data statistics on theappliance.

Note: You can configure the [user-agent] stanza to categorize the incominguser-agent requests and make the statistical data more meaningful. You can thenview a statistical breakdown of all requests based on user-agent and junction.

Options

number_of_secondsSpecifies the interval that the appliance uses to collect flow data statistics.

Usage


Default value

600

Exampleflow-data-stats-interval = 600

[forms] stanza

allow-empty-form-fields

Syntaxallow-empty-form-fields = {true|false}

Description

If a forms login request is received with either an empty user name or an emptypassword, then WebSEAL returns the login form without stating an error. If youprefer that an error message is displayed with the returned login form, then set


this value to "true". In this case, WebSEAL attempts to authenticate the user, and ifthe values have zero length, the registry returns the appropriate error.

Options

true Error message is displayed with the returned login form.

false Error message is not displayed with the returned login form.

Usage


Default value

false

Exampleallow-empty-form-fields = false

forms-auth

Syntaxforms-auth = {none|http|https|both}

Description

Enables authentication using the Forms Authentication mechanism.

When forms authentication is enabled, you must also configure an appropriateauthentication library by setting a key=value pair in the [authentication-mechanisms] stanza.

Options


Usage


Default value

none

Exampleforms-auth = none


[gso-cache] stanza

gso-cache-enabled

Syntaxgso-cache-enabled = {yes|no}

Description

Enables or disables the Global Signon (GSO) cache.

Options

yes Enables the Global Signon (GSO) cache.

no Disables the Global Signon (GSO) cache.

Usage


Default value

no

Examplegso-cache-enabled = no

gso-cache-entry-idle-timeout

Syntaxgso-cache-entry-idle-timeout = number_of_seconds

Description

Integer value that specifies the timeout, in seconds, for cache entries that are idle.

Options

number_of_secondsThe value must be greater than or equal to zero (0). A value of 0 meansthat entries are not removed from the GSO cache due to inactivity.However, they may still be removed due to either the gso-cache-size beingexceeded or the gso-cache-entry-lifetime stanza entry being exceeded.WebSEAL does not impose a maximum value.

Usage

This stanza entry is required, but is ignored when GSO caching is disabled.

Default value

120


Examplegso-cache-entry-idle-timeout = 120

gso-cache-entry-lifetime

Syntaxgso-cache-entry-lifetime = number_of_seconds

Description

Integer value that specifies the lifetime, in seconds, of a GSO cache entry.

Options

number_of_secondsThe value must be greater than or equal to zero (0). A value of 0 meansthat entries are not removed from the GSO cache due to their entry lifetimebeing exceeded. However, they may still be removed due to either thegso-cache-size being exceeded or the gso-cache-entry-idle-timeout stanzaentry being exceeded. WebSEAL does not impose a maximum value.

Usage


Default value

900

Examplegso-cache-entry-lifetime = 900

gso-cache-size

Syntaxgso-cache-size = number_of_entries

Description

Integer value indicating the number of entries allowed in the GSO cache.

Options

number_of_entriesThe value must be greater than or equal to zero (0). Zero means that thereis no limit on the size of the GSO cache. This is not recommended.

WebSEAL does not impose a maximum value. Choose your maximumvalue to stay safely within the bounds of your available system memory.

Usage



Default value

1024

Examplegso-cache-size = 1024

[header-names] stanza

server-name

Syntaxserver-name = {iv_server_name|(no value)}

Description

Specifies the name of the HTTP header used to pass the name of the authorizationAPI administration server used with the server task command to junctionedapplications.

For example, when server-name = iv_server_name, and the WebSEAL instance isdefault-webseald-diamond.example.com, WebSEAL passes the following headerand value to the junction:iv_server_name:default-webseald-diamond.example.com

Options

iv_server_nameTypically, the default value iv_server_name is used. However, you canreplace it with any valid string. Valid strings are limited to the followingcharacters: [A-Z], [a-z], [0–9], hyphen ( - ), or underscore ( _ ).

(no value)WebSEAL accepts a blank value for server-name which can be used if thejunctioned application uses a hardcoded server name instead of obtainingit from the header.

Usage


Default value

iv_server_name

Exampleserver-name = iv_server_name

[http-transformations] stanza

resource-name

Syntaxresource-name = resource-file


Description

Defines HTTP transformation resources. This configuration information isnecessary to support WebSEAL HTTP transformations. You can use WebSEALHTTP transformations to modify HTTP requests and HTTP responses (excludingthe HTTP body) using XSLT.

Note: To enable the HTTP transformations for a particular resource, attach a POPto the appropriate part of the object space. This POP must contain an extendedattribute with the name HTTPTransformation and one of the following values:v Request = resource-name

v Response = resource-name

For more details, see the information about HTTP transformations in the IBMSecurity Web Gateway Appliance: Configuration Guide for Web Reverse Proxy.

Options

resource-nameThe name of the HTTP transformation resource.

resource-fileThe name of the resource file.

Note: You must restart WebSEAL for changes to an XSL rules file to takeeffect.

Usage


Comments

If an HTTP transformation rule modifies the URI or host header of the request,WebSEAL reprocesses the transformed request. This reprocessing ensures that thetransformation does not bypass WebSEAL authorization. This behavior also meansthat administrators can define HTTP transformations rules to send requests todifferent junctions.

Note: WebSEAL performs reprocessing (and authorization) on the first HTTPtransformation only. Transformed requests undergo HTTP transformation again ifthere is an appropriate POP attached to the associated object space. However,WebSEAL does not reprocess the new requests that result from these subsequenttransformations.

Default value

None.

ExampleresourceOne = resourceOne.xsl


[ICAP:<resource>] stanzaThe [ICAP:<resource>] stanza is used to define a single ICAP resource. The<resource> component of the stanza name must be changed to the actual name ofthe resource. To enable the ICAP resource for a particular object, a POP must beattached to the appropriate part of the object space. This POP must contain anextended attribute with the name ICAP, and a value that is equal to the name of theconfigured ICAP resource.

URL

SyntaxURL = URL string

Description

The complete URL on which the ICAP server is expecting requests.

Options

URL URL string

Usage

Required

Default value

None

ExampleURL = icap://icap.example.net:1344/filter?mode=strict

Note: In the example, icap is the protocol being used.

transaction

Syntaxtransaction = {req | rsp}

Description

The transaction for which the resource is invoked.

Options

req The ICAP server is invoked on the HTTP request.

rsp The ICAP server is invoked on the HTTP response.

Usage

Required


Default value

None

Exampletransaction = req

timeout

Syntaxtimeout = seconds

Description

The maximum length of time (in seconds) that WebSEAL waits for a response fromthe ICAP server.

Options

timeoutThe time in seconds, that WebSEAL waits for a response from the ICAPserver.

Usage

Required

Default value

None

Exampletimeout = 120

[illegal-url-substrings] stanza

Note: The [illegal-url-substrings] feature is deprecated. IBM might remove thisfeature in a subsequent release of the product.

substring

Syntaxsubstring= string

Description

WebSEAL blocks HTTP requests containing any of the substrings specified by theseentries. Used to help mitigate the problems of cross-site scripting.

Options

string Character string.


Usage


Default value

<script

Examplesubstring = <scriptsubstring = <appletsubstring = <embed

[interfaces] stanza

interface_name

Syntaxinterface_name = property=value[;property=value...]

Description

This stanza is used to define additional interfaces on which this WebSEAL instancecan receive requests.

A network interface is defined as the combined set of values for a specific group ofproperties that include HTTP or HTTPS port setting, IP address, worker threadssetting, and certificate handling setting.

Options

propertyInterface property. Can be selected from:network-interface=<ipAddress>http-port=<port> | "disabled"https-port=<port> | "disabled"certificate-label=<keyFileLabel>accept-client-certs="never" | "required" | "optional" |"prompt_as_needed"worker-threads=<count> | "default"

value Value of the property. Default values, if not present, include:network-interface=0.0.0.0http-port ="disabled"https-port ="disabled"certificate-label= (Uses key marked as default in key file.)accept-client-certs="never"worker-threads="default"

Usage


Default value

None.


Example

(Entered as one line:)support = network-interface=9.0.0.8;https-port=444;certificate-label=WS6;worker-threads=16

[itim] stanza

This stanza contains the configuration options for the IBM Security IdentityManager Password Synchronization Plug-in. The Password SynchronizationPlug-in synchronizes user passwords from IBM Security Access Manager for Webto IBM Security Identity Manager, previously known as IBM Tivoli IdentityManager.

For more information about this plug-in, see the Password Synchronization Plug-infor IBM Security Access Manager Installation and Configuration Guide, which you canfind in the IBM Security Identity Manager Information Center:http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0/ic-homepage.htm.

is-enabled

Syntaxis-enabled = {true|false}

Description

Determines whether the Password Synchronization Plug-in for IBM SecurityIdentity Manager, is enabled.

Options

true Enables the Password Synchronization Plug-in.

false Disables the Password Synchronization Plug-in.

Usage


Default value

false

Exampleis-enabled = false

itim-server-name

Syntaxitim-server-name = <itim_server>


http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0/ic-homepage.htm

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0/ic-homepage.htm

Description

Specifies the host name or IP address of the server that is running IBM SecurityIdentity Manager.

Note: In a WebSphere Application Server cluster environment, you must configureSSL for the IBM HTTP Server. In a WebSphere Application Server single-serverenvironment, you do not need to configure SSL for the IBM HTTP Server.

Options

<itim_server>Specifies the host name or IP address of the IBM Security Identity Managerserver that communicates with IBM Security Access Manager for Web.

Usage

This stanza entry is required when the is_enabled configuration entry in the[itim] stanza is set to true.

Default value

None.

Exampleitim-server-name = identityMgr01.ibm.com

itim-servlet-context

Syntaxitim-servlet-context = <directory_path>

Description

Indicates the password synchronization context root on the application server.

Options

<directory_path>Specifies the directory path for the password synchronization context rooton the application server.

Usage


Default value

/passwordsynch/synch.

Exampleitim-servlet-context = /passwordsynch/synch


keydatabase-file

Syntaxkeydatabase-file = <file_name>

Description

Specifies the name of the key database file.

Options

<file_name>The name of the key database file.

Usage


Default value

None.

Examplekeydatabase-file = revpwdsync.kdb

keydatabase-password

Syntaxkeydatabase-password = <db_password>

Description

Specifies the password for the key database in the keydatabase-file.

Note: The IBM Security Web Gateway Appliance uses stash files to manage thepasswords for key files. As a result, key file passwords are not available to theadministrator of the appliance.

If you do not know the password for the key database file, you can use thekeydatabase-password-file entry to specify the name of the password stash fileinstead. If you configure the keydatabase-password-file entry, you can leave thekeydatabase-password entry unconfigured.

The Password Synchronization Plug-in requires knowledge of the databasepassword. Therefore, if you do not configure the keydatabase-password-file entry,you must configure the keydatabase-password entry. To complete thisconfiguration, follow this process:1. Create the key file externally to the appliance. Use a known password to

generate the new key file.2. Import the key file on to the appliance.3. Configure the keydatabase-password configuration entry with the known

password for the Password Synchronization Plug-in.


Options

<db_password>Specifies the password for the key database file.

Usage

If the is_enabled configuration entry in the [itim] stanza is set to true, you mustset one of the following entries for the key database password:v keydatabase-password

v keydatabase-password-file

Note: If there is a value configured for both of these entries, WebSEAL uses thekeydatabase-password.

Default value

None.

Examplekeydatabase-password = myPassword1

keydatabase-password-file

Syntaxkeydatabase-password-file = <password_stash_file>

Description

Specifies the name of the stash file that stores the password for the key database.

Options

<password_stash_file>Specifies the name of the stash file that stores the password for the keydatabase.

Usage

If the is_enabled configuration entry in the [itim] stanza is set to true, you mustset one of the following entries for the key database password:v keydatabase-password

v keydatabase-password-file

Note: If there is a value configured for both of these entries, WebSEAL uses thekeydatabase-password.

Default value

None.

Examplekeydatabase-password-file = dbPassword.sth


principal-name

Syntaxprincipal-name = <user_name>

Description

Specifies an IBM Security Identity Manager user ID that has the necessarypermissions to complete the check and synchronization operations.

Note: Do not use the ITIM manager account for this purpose. Create a separateaccount on the IBM Security Identity Manager server with the same permissions.

Options

<user_name>Specifies the name of the IBM Security Identity Manager user that thePassword Synchronization Plug-in can use to request synchronizationoperations.

Usage


Default value

None.

Exampleprincipal-name = admin_userA

principal-password

Syntaxprincipal-password = <user_password>

Description

Specifies the password of the IBM Security Identity Manager user that is specifiedby principal-name.

Options

<user_password>Specifies the password for the IBM Security Identity Manager account.

Usage


Default value

None.


Exampleprincipal-password = myPassword1

service-password-dn

Syntaxservice-password-dn = <service_pseudo_dn>

Description

Defines the pseudo–distinguished name of the service that issues the passwordsynchronization request.

The Password Synchronization Plug-in uses the service-password-dnpseudo-distinguished name for requests that use the standard passwordauthentication method. If this configuration entry is specified, it overridesservice-source-dn when using the password authentication method.

Note: You can specify more than one pseudo-distinguished name. Separate thepseudo-distinguished names with a semicolon (;) character. The PasswordSynchronization Plug-in iterates through the list of service names until it finds anaccount for one of the services. If the Password Synchronization Plug-in cannotfind an account for the specified services, it returns an error message.

Each pseudo-distinguished name is a comma-separated list of the followingattributes:v The erservicename attribute of the Security Access Manager service name, as

defined in IBM Security Identity Manager. For example, erservicename=TAM 6.0Service.

v The o attribute of the organization to which the service belongs. For example,o=International Business Machines.

v The ou and dc attributes from the service distinguished name in IBM SecurityIdentity Manager. For example, ou=IBM,dc=com.

The pseudo-distinguished name that is formed from these example values is:erservicename=TAM 6.0 Service,o=International Business Machines,ou=IBM,dc=com.

Options

<service_pseudo_dn>Specifies the service pseudo–distinguished name for the standard passwordauthentication method.

Usage

If the is_enabled configuration entry in the [itim] stanza is set to true, then youmust configure at least one of the following configuration entries:v service-source-dn

v service-password-dn

v service-token-card-dn

Default value

None.


Exampleservice-password-dn = erservicename=ISAM Employees Service,o=IBM,ou=IBM,dc=com

service-source-dn

Syntaxservice-source-dn = <service_pseudo_dn>

Description

Defines the pseudo–distinguished name of the service that issues the passwordsynchronization request. The service-source-dn is for the pseudo-distinguishedname for all authentication methods.

Note: You can specify more than one pseudo-distinguished name in the value ofthis configuration entry. Separate the pseudo-distinguished names with asemicolon (;) character. The Password Synchronization Plug-in iterates through thelist of service names until it finds an account for one of the services. If thePassword Synchronization Plug-in cannot find an account for the specifiedservices, it returns an error message.






Options

<service_pseudo_dn>Specifies the service pseudo–distinguished name for all authenticationmethods.

Usage

If the is_enabled configuration entry in the [itim] stanza is set to true, then youmust configure at least one of the following configuration entries:v service-source-dn



Default value

None.


Exampleservice-source-dn = erservicename=ISAM Employees Service,o=IBM,ou=IBM,dc=com;erservicename=TAM Customers Service,o=IBM,ou=IBM,dc=com

service-token-card-dn

Syntaxservice-token-card-dn = <service_pseudo_dn>

Description

Defines the pseudo–distinguished name of the service that issues the passwordsynchronization request.

The Password Synchronization Plug-in uses the service-token-card-dnpseudo-distinguished name for requests that use the token card authenticationmethod. If this configuration entry is specified, it overrides service-source-dnwhen using the token card authentication method.

Note: You can specify more than one pseudo-distinguished name. Separate thepseudo-distinguished names with a semicolon (;). The Password SynchronizationPlug-in iterates through the list of service names until it finds an account for oneof the services. If the Password Synchronization Plug-in cannot find an account forthe specified services, it returns an error message.






Options

<service_pseudo_dn>Specifies the service pseudo–distinguished name for the token cardauthentication method.

Usage

If the is_enabled configuration entry in the [itim] stanza is set to true then youmust configure at least one of the following configuration entries:v service-source-dn




Default value

None.

Exampleservice-token-card-dn = erservicename=ISAM Employees Service,o=IBM,ou=IBM,dc=com

servlet-port

Syntaxservlet-port = <port_number>

Description

Specifies the port number for communicating with the IBM Security IdentityManager server that is specified by the itim-server-name configuration entry.

The default HTTPS port is 9443 for a single server configuration and 443 for a IBMSecurity Identity Manager cluster with HTTP SSL configured.

Options

<port_number>Specifies the port number for communication with the IBM SecurityIdentity Manager server.

Usage


Default value

9443

Exampleservlet-port = 9443

[jdb-cmd:replace] stanza

jct-id=search-attr-value|replace-attr-value

Syntaxjct-id=search-attr-value|replace-attr-value

Description

Defines the mapping rules for the jdb import command. These mapping rules areapplied to each attribute in the junction archive file before you import the newjunction database.

Options

jct-id Refers to the junction point for a standard junction which includes theleading ’/’ (slash) or the virtual host label for a virtual host junction.


search-attr-valueSpecifies the attribute value in the junction definition for which you wantto search and replace.

replace-attr-valueSpecifies the new attribute value in the junction definition for which youwant to search and replace.

Usage


Default value

None.

Example/test-jct = webseal.au.ibm.com|webseal.gc.au.ibm.com

[junction] stanza

allow-backend-domain-cookies

Syntaxallow-backend-domain-cookies = {yes|no}

Description

Indicates whether WebSEAL is allowed to send domain cookies from a back-endserver to a client.

You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [junction:{junction_name}] stanza.


Options

yes Enable WebSEAL to send domain cookies from a back-end server to aclient.

no Disable WebSEAL to send domain cookies from a back-end server to aclient.

Usage


Default value

no

Exampleallow-backend-domain-cookies = no


basicauth-dummy-passwd

Syntaxbasicauth-dummy-passwd = dummy_password

Description

Global password used when supplying basic authentication data over junctionsthat were created with the -b supply argument.

Options

dummy_passwordGlobal password used when supplying basic authentication data overjunctions that were created with the -b supply argument. Passwords mustconsist of ASCII characters.

Usage


Default value

dummy

Examplebasicauth-dummy-passwd = dummy

crl-ldap-server

Syntaxcrl-ldap-server = server_name

Description

Specifies the Server to be contacted to obtain Certificate Revocation Lists (CRL).

Options

server_nameThis parameter can be set to one of two types of values:1. The name of the LDAP server to be referenced as a source for

Certificate Revocation Lists (CRL) during authentication across SSLjunctions. If this is used, you may also need to set the followingparameters:v crl-ldap-server-portv crl-ldap-userv crl-ldap-user-password

2. The literal string “URI”. In the case where no direct LDAP Server isavailable, this allows GSKit to obtain revocation information fromLDAP or the HTTP Servers as specified by the CA in the CertificateDistribution Point (CDP) extension of the certificate.

Note: In addition to specifying the string "URI", it is also possible tospecify an HTTP server for crl-ldap-server. However, WebSEAL does not


currently support the ability to specify an HTTP proxy server, which canprovide performance improvements when HTTP servers are used.

Usage


Default value

None.

Examplecrl-ldap-server = diamond.example.com

crl-ldap-server-port

Syntaxcrl-ldap-server-port = port_number

Description

Port number for communication with the LDAP server specified in crl-ldap-server.The LDAP server is referenced for Certificate Revocation List (CRL) checkingduring authentication across SSL junctions.

Options

port_numberPort number for communication with the LDAP server specified incrl-ldap-server.

Usage

This stanza entry is optional. When crl-ldap-server is specified, this stanza entry isrequired.

Default value

None.

Examplecrl-ldap-server-port = 389

crl-ldap-user

Syntaxcrl-ldap-user = user_DN

Description

Fully qualified distinguished name (DN) of an LDAP user who has permissions toretrieve the Certificate Revocation List.


Options

user_DNFully qualified distinguished name (DN) of an LDAP user who haspermissions to retrieve the Certificate Revocation List. A null value forcrl-ldap-server indicates that the SSL authenticator should bind to theLDAP server anonymously.

Usage


Default value

None.

Examplecrl-ldap-user = user_DN

crl-ldap-user-password

Syntaxcrl-ldap-user-password = password

Description

The password for the LDAP user specified in the crl-ldap-user stanza entry.

Options

passwordThe password for the LDAP user specified in the crl-ldap-user stanzaentry.

Usage

This stanza entry is optional. When crl-ldap-user is specified, this stanza entry isrequired.

Default value

None.

Examplecrl-ldap-user-password = mypassw0rd

disable-ssl-v2

Syntaxdisable-ssl-v2 = {yes|no}

Description

Disables support for SSL Version 2 for junction connections. Support for SSL v2 isdisabled by default.


Options

yes The value yes means support is disabled.

no The value no means the support is enabled.

Usage

This stanza entry is optional. When not specified, the default is yes. The WebSEALconfiguration sets this value.

Default value

yes

Exampledisable-ssl-v2 = yes

disable-ssl-v3


Description

Disables support for SSL Version 3 for junction connections. Support for SSL V3 isenabled by default.

Options


no The value no means the support is enabled

Usage

This stanza entry is optional. When not specified, the default is no. The WebSEALconfiguration sets this value.

Default value

no

Exampledisable-ssl-v3 = no

disable-tls-v1

Syntaxdisable-tls-v1 = {yes|no}

Description

Disables support for TLS Version 1 for junction connections. Support for TLS V1 isenabled by default.


Options



Usage

This stanza entry is optional. When not specified, the default is no. The WebSEALconfiguration sets this value.

Default value

no

Exampledisable-tls-v1 = no

disable-tls-v11


Description

Determines whether WebSEAL supports Transport Layer Security (TLS) version 1.1for junction connections. Support for TLS v1.1 is enabled by default.

Options

yes The value yes disables support for TLS version 1.1.

no The value no enables support for TLS version 1.1.

Usage

This stanza entry is optional. If this entry is not specified, the default is no.

Default value

no


disable-tls-v12


Description

Determines whether WebSEAL supports Transport Layer Security (TLS) version 1.2for junction connections. Support for TLS v1.2 is enabled by default.


Options



Usage


Default value

no


dont-reprocess-jct-404s

Syntaxdont-reprocess-jct-404s = {yes|no}

Description

If a resource cannot be found on a back-end server, that server returns an HTTP404 error. The dont-reprocess-jct-404s stanza entry controls whether or notWebSEAL processes the request again by prepending the junction name to theURL.

You should never need to enable this stanza entry if you follow this best practicefor junctions: The junction name should not match any directory name used inthe Web space of the back-end server if HTML pages from that server containprograms (such as JavaScript or applets) with server-relative URLs to thatdirectory.

The following scenario can occur when one does not adhere to this best practicefor junctions:1. A resource is located in the following subdirectory (using the same name as the

junction) on the back-end server: /jct/page.html.2. A page received by the client from this back-end server contains the following

URL: /jct/page.html3. When the link is followed, WebSEAL can immediately process the request

because it recognizes what it thinks is the junction name in the URL. Noconfigured URL modification technique is required.

4. At the time the request is forwarded to the back-end server, the junction name(/jct) removed from the URL. The resource (/page.html) is not found at theroot of the back-end server file system. The server returns a 404 error.

5. If WebSEAL is configured for dont-reprocess-jct-404s=no, it reprocesses theURL and prepends the junction name to the original URL: /jct/jct/page.html

6. Now the resource is successfully located at /jct/page.html on the back-endserver.

NOTE:


v The default behavior in WebSEAL is to reprocess a request URL after an HTTP404 error is returned from the back-end server. You can set the value ofdont-reprocess-jct-404s to yes to override this default behavior.

v If the reprocess-root-jct-404s entry (also in the [junction] stanza) has been set toyes then root junction resource requests that result in a HTTP 404 error will bereprocessed regardless of the setting of this dont-reprocess-jct-404s stanza entry.

Options

yes When the back-end server returns an HTTP 404 error, do not reprocess therequest URL.

no When the back-end server returns an HTTP 404 error, reprocess the requestURL by prepending the junction name to the existing URL.

Usage


Default value

The default value in the template configuration file is yes.

Exampledont-reprocess-jct-404s = yes

dynamic-addresses

Syntaxdynamic-addresses = {yes|no}

Description

Indicates when the junction server host name is resolved to its corresponding IPaddress and used in communication with the junction server.



Options

yes The junction server host name is resolved to its corresponding IP addressimmediately before any communication with the junction server.

no The junction server host name is resolved to its corresponding IP addressand this address is used for subsequent communication with the junctionserver.

Usage



Default value

no

Exampledynamic-addresses = no

http-timeout

Syntaxhttp-timeout = number_of_seconds

Description

Integer value indicating the timeout, in seconds, for sending to and reading from aTCP junction.



Options

number_of_secondsInteger value indicating the timeout, in seconds, for sending to andreading from a TCP junction. The minimum value is 0. When the value is0, there is no timeout. WebSEAL does not impose a maximum value.

Usage


Default value

120

http-timeout = 120

https-timeout

Syntaxhttps-timeout = number_of_seconds

Description

Integer value indicating the timeout, in seconds, for sending to and reading from aSecure Socket Layer (SSL) junction.




Options

number_of_secondsInteger value indicating the timeout, in seconds, for sending to andreading from a Secure Socket Layer (SSL) junction. The minimum value is0. When the value is 0, there is no timeout. WebSEAL does not impose amaximum value.

Usage


Default value

120

https-timeout = 120

insert-client-real-ip-for-option-r

Syntaxinsert-client-real-ip-for-option-r = {yes|no}

Description

Determines whether to use the current IP address of the client or the one cached inthe credentials at authentication time for the value passed in a header to junctionscreated with the -r option.

Options

yes Use the current IP address of the client for the value passed in a header tojunctions created with the -r option.

no Use the client IP address cached in the credentials at authentication timefor the value passed in a header to junctions created with the -r option.

Usage


Default value

no

Exampleinsert-client-real-ip-for-option-r = no

io-buffer-size

Syntaxio-buffer-size = number_of_bytes

Description

Positive integer value indicating the buffer size, in bytes, for low-level reads fromand writes to a junction.


Options

number_of_bytes

Positive integer value indicating the buffer size, in bytes, for low-levelreads from and writes to a junction.

The minimum value is 1. WebSEAL does not impose a maximum value.

A very small value (for instance, 10 bytes) can hurt performance bycausing very frequent calls to the low-level read/write APIs. Up to acertain point, larger values improve performance because theycorrespondingly reduce the calls to the low-level I/O functions.

However, the low-level I/O functions may have their own internal buffers,such as the TCP send and receive buffers. Once io-buffer-size exceeds thesize of those buffers (which are typically not large), there is no longer anyperformance improvement at all because those functions only read part ofthe buffer at the time.

Reasonable values for io-buffer-size range between 1 kB and 8 kB. Valuessmaller than this range causes calling the low-level I/O functions toofrequently. Values larger than this range wastes memory. A 2 MB I/Obuffer size uses 4 MB for each worker thread communicating with thejunctioned server, since there is both an input and output buffer.

Usage


Default value

4096

Exampleio-buffer-size = 4096

jct-cert-keyfile

Syntaxjct-cert-keyfile = file_name

Description

WebSEAL provides an option to configure a separate certificate key database forjunction SSL operations rather than sharing the one used for client certificatesspecified in the [ssl] stanza. The jct-cert-keyfile parameter specifies thejunction certificate keyfile. If this option is enabled, this is the keyfile used for CAand client certificates when negotiating SSL sessions with junctions.

Note: This stanza entry is commented out in the WebSEAL configuration file. Toenable the option of using a separate certificate key database for junctionedservers, create the pdjct.kdb keyfile (and optional stash file) using iKeyman, anduncomment the options jct-cert-keyfile and either jct-cert-keyfile-stash orjct-cert-keyfile-pwd in the configuration file.


Options

file_nameThe name of the optional, separate junction certificate keyfile.

Note: If jct-cert-keyfile is defined, then either jct-cert-keyfile-pwd orjct-cert-keyfile-stash must also be defined.

Usage


Default value

pdjct.kdb

Examplejct-cert-keyfile = pdjct.kdb

jct-cert-keyfile-stash

Syntaxjct-cert-keyfile-stash = file_name

Description

WebSEAL provides an option to configure a separate certificate key database forjunction SSL operations rather than sharing the one used for client certificatesspecified in the [ssl] stanza. The jct-cert-keyfile-stash parameter specifies thestash file for the optional, separate junction certificate database.

Note: This stanza entry is commented out in the WebSEAL configuration file. Toenable the option of using a separate certificate key database for junctionedservers, create the pdjct.kdb keyfile (and optional stash file) using iKeyman, anduncomment the options jct-cert-keyfile and either jct-cert-keyfile-stash orjct-cert-keyfile-pwd in the configuration file.

Options

file_nameThe name of the stash file for the optional, separate junction certificatedatabase.


Usage


Default value

pdjct.sth

Examplejct-cert-keyfile-stash = pdjct.sth


jct-cert-keyfile-pwd

Syntaxjct-cert-keyfile-pwd = password

Description

WebSEAL provides an option to configure a separate certificate key database forjunction SSL operations rather than sharing the one used for client certificatesspecified in the [ssl] stanza. When this stanza entry is assigned a value, that valueis used instead of any password that is contained in the stash file specified byjct-cert-keyfile-stash. This stanza entry stores the password in plain text. Use thestash file for optimum security.

Note: This stanza entry is commented out in the WebSEAL configuration file. Toenable the option of using a separate certificate key database for junctionedservers, create the /var/pdweb/www-default/certs/pdjct.kdb keyfile (and optionalstash file) using iKeyman, and uncomment the options jct-cert-keyfile and eitherjct-cert-keyfile-stash or jct-cert-keyfile-pwd in the configuration file.

Options

passwordPassword used to protect private keys in the optional, separate junctionkey certificate database.


Usage


Default value

none

Examplejct-cert-keyfile-pwd = J73R45huu

jct-ocsp-enable

Syntaxjct-ocsp-enable = {yes|no}

Description

Enable Online Certificate Status Protocol (OCSP) for checking the revocation statusof certificates supplied by a junction server using the OCSP URL embedded in thecertificate using an Authority Info Access (AIA) extension.

Options

yes Enable OCSP to check the revocation status of junction server suppliedcertificates.


no Disable OCSP checking of junction server supplied certificates.

Usage


Note: This option can be used as an alternative to, or in conjunction with, thejct-ocsp-url option.

Default value

no

Examplejct-ocsp-enable = no

jct-ocsp-max-response-size

Syntaxjct-ocsp-max-response-size = number of bytes

Description

Sets the maximum response size (in bytes) that will be accepted as a response froman OCSP responder. This limit helps protect against a denial of service attack.

Options

Maximum response size, in bytes.

Usage


Default value

204080

Examplejct-ocsp-max-response-size = 20480

jct-ocsp-nonce-check-enable

Syntaxjct-ocsp-nonce-check-enable = {yes|no}

Description

Determines whether WebSEAL checks the nonce in the OCSP response. Enablingthis option improves security but can cause OCSP Response validation to fail ifthere is a caching proxy between WebSEAL and the OCSP Responder. Note thatenabling this option automatically enables the jct-ocsp-nonce-generation-enableoption.


Options

yes WebSEAL checks the nonce in the OCSP response to verify that it matchesthe nonce from the request.

no WebSEAL does not check the nonce in the OCSP response.

Usage


Default value

no

Examplejct-ocsp-nonce-check-enable = no

jct-ocsp-nonce-generation-enable

Syntaxjct-ocsp-nonce-generation-enable = {yes|no}

Description

Determines whether WebSEAL generates a nonce as part of the OCSP request.Enabling this option can improve security by preventing replay attacks onWebSEAL but may cause an excessive load on an OCSP Responder appliance asthe responder cannot use cached responses and must sign each response.

Options

yes WebSEAL generates a nonce as part of the OCSP request.

no WebSEAL does not generate a nonce as part of the OCSP request.

Usage


Default value

no

Examplejct-ocsp-nonce-generation-enable = no

jct-ocsp-proxy-server-name

Syntaxjct-ocsp-proxy-server-name = <proxy host name>

Description

Specifies the name of the proxy server that provides access to the OCSP responder.


Options

proxy host nameFully qualified name of the proxy server.

Usage


Default value

None

Examplejct-ocsp-proxy-server-name = proxy.ibm.com

jct-ocsp-proxy-server-port

Syntaxjct-ocsp-proxy-server-port = <proxy host port number>

Description

Specifies the port number of the proxy server that provides access to the OCSPResponder.

Options

proxy host port numberPort number used by the proxy server to route OCSP requests andresponses.

Usage


Default value

None

Examplejct-ocsp-proxy-server-port = 8888

jct-ocsp-url

Syntaxjct-ocsp-url = <OCSP Responder URL>

Description

Specifies the URL for the OCSP Responder. If a URL is provided, WebSEAL willuse OCSP for all revocation status checking regardless of whether the certificatehas an Authority Info Access (AIA) extension, which means that OCSP will workwith existing certificates. WebSEAL will first try the OCSP Responder that isconfigured by this method rather than using a location specified by AIAextension.If revocation status is undetermined, and if jct-ocsp-enable is set to yes,


then WebSEAL will try to obtain revocation status using the access method in theAIA extension.

Options

OCSP Responder URLURL of the OCSP Responder.

Usage


Default value

None

Examplejct-ocsp-url = http://responder.ibm.com/

jct-ssl-reneg-warning-rate

Syntaxjct-ssl-reneg-warning-rate = number_renegotiations/minute

Description

When this option is set to a value greater than zero (0), WebSEAL produces awarning message if the SSL session renegotiation rate between junction servers andWebSEAL reaches this level or greater. The value is specified as the number ofrenegotiations per minute.

Options

number_renegotiations/minuteRate of session renegotiations between junction servers and WebSEAL.

Usage


Default value

0

Examplejct-ssl-reneg-warning-rate = 0

jct-undetermined-revocation-cert-action

Syntaxjct-undetermined-revocation-cert-action = {ignore | log | reject}

Description

Controls the action that WebSEAL takes if OCSP or CRL is enabled but theresponder cannot determine the revocation status of a certificate (that is, the


revocation status is unknown). The appropriate values for this entry should beprovided by the OCSP or CRL Responder owner.

Options

ignore WebSEAL ignores the undetermined revocation status and permits use ofthe certificate.

log WebSEAL logs the fact that the certificate status is undetermined andpermits use of the certificate.

reject WebSEAL logs the fact that the certificate status is undetermined andrejects the certificate.

Usage


Default value

log

Examplejct-undetermined-revocation-cert-action = log

jmt-map

Syntaxjmt-map = file_name

Description

The name of the file that contains the location of the Junction-to- Request MappingTable (JMT).

The administrator can rename this file if necessary. The file name can be any filename valid for the operating system file system.

Options

file_nameName of the file that contains the location of the Junction-to- RequestMapping Table (JMT).

Usage


Default value

jmt.conf

Examplejmt-map = jmt.conf


managed-cookies-list

Syntaxmanaged-cookies-list = list

Description

The managed-cookies-list contains a comma-separated list of patterns that will bematched against the names of cookies returned by junctioned servers. Cookies withnames that match the patterns in this list are stored in the WebSEAL cookie jar andnot returned to the client. Cookies that do not match these patterns are returned tothe client browser.

The WebSEAL cookie jar is turned off by not specifying any cookies in themanaged-cookies-list.



Options

list A comma-separated list of pattern-matched cookie names.

Usage


Default value

This option is empty by default.managed-cookies-list = JSESS*,Ltpa*

mangle-domain-cookies

Syntaxmangle-domain-cookies = {yes | no}

Description

Enables or disables WebSEAL domain cookie name mangling behavior.

Note:

1. This option enables domain cookie mangling on a server-wide basis. The optioncannot be configured on a per-junction basis.

2. This option is relevant only for junctions that use a reprocessing solution suchas -j or JMT.

3. This option does not affect cookies listed in preserve-cookie-names.

Options

yes Enables WebSEAL to mangle the names of domain cookies. Informationidentifying the junction is added to the cookie name, and the cookie is only


associated with that junction. If mangle-path-into-cookie-name is set toyes, then the backend path attribute information is also mangled into thecookie name.

no WebSEAL will not mangle the names of domain cookies.

Usage


Default value

This option is disabled by default.

Examplemangle-domain-cookies = yes

match-vhj-firstHelps determine the order in which WebSEAL searches for a request in a standardor a virtual host junction table.

Syntaxmatch-vhj-first = {yes|no}

Description

WebSEAL manages separate junction tables for standard and virtual host junctions.When a request comes in, WebSEAL searches the virtual host junction table first. IfWebSEAL does not find a match, it searches the table that manages standardjunctions. The match-vhj-first configuration can reverse the search order so thatWebSEAL searches the standard junction table before searching the virtual hostjunction table.

Options

yes WebSEAL searches the virtual host junction table first.

no WebSEAL searches the standard junction table first.

Usage

This stanza entry is not optional.

Default value

yes

Example

The following example tells WebSEAL to search the standard junction table first:match-vhj-first = no

max-cached-persistent-connections

Syntaxmax-cached-persistent-connections = number_of_connections


Description

The maximum number of persistent connections that will be stored in the cache forfuture use. Connections with junctioned Web servers will be cached for future useunless the configured limit (as defined by this configuration entry) is reached, orunless the connection:close header is received in the HTTP response.

Note: If this setting is enabled, there is the potential for different user sessions touse the same connection when processing junction requests. To disable thepersistent connection functionality, specify a max-cached-persistent-connectionsvalue of zero (0).



Options

number_of_connectionsInteger value indicating the maximum number of persistent connectionsthat will be stored in the cache for future use. A value of zero (0) disablesthis support. WebSEAL imposes no maximum on this value.

Usage


Default value

0

max-cached-persistent-connections = 0

max-webseal-header-size

Syntaxmax-webseal-header-size = number_of_bytes

Description

Integer value indicating the maximum size, in bytes, of HTTP headers generatedby the WebSEAL server. Headers greater in size that this value are split acrossmultiple HTTP Headers.

Note: The max-webseal-header-size entry does not limit the maximum size ofHTTP-Tag-Value headers.

Options

number_of_bytesInteger value indicating the maximum size, in bytes, of HTTP headersgenerated by the WebSEAL server. A value of zero (0) disables thissupport. WebSEAL imposes no maximum on this value.


Usage


Default value

0

Examplemax-webseal-header-size = 0

pass-http-only-cookie-atr

Syntaxpass-http-only-cookie-atr = {yes|no}

Description

Indicates whether WebSEAL will pass or remove the HTTPOnly attribute from theSet-Cookie headers sent by junctioned servers.

Options

yes Enables WebSEAL to pass the HTTPOnly attribute from Set-Cookie headerssent by junctioned servers.

no Enables WebSEAL to remove the HTTPOnly attribute from Set-Cookieheaders sent by junctioned servers.

Usage


Default value

no

Examplepass-http-only-cookie-atr = no

persistent-con-timeout

Syntaxpersistent-con-timeout = number_of_seconds

Description

Indicates the maximum number of seconds a persistent connection can remain idlein a cache before the connection is cleaned up and closed by WebSEAL.

Use an integer value lower than the configured maximum connection lifetime forthe junctioned web server. For example, the connection lifetime for a junctionedApache web server is controlled by the KeepAliveTimeout configuration entry.


You can customize the persistent-con-timeout configuration item for a particularjunction by adding the adjusted configuration item to a [junction:{junction_id}]stanza.

where {junction_id} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction.

Note: If you do not use an integer value lower than the connection lifetime on thejunctioned web server, you might encounter the following problem.

If the [junction] max-cached-persistent-connections configuration entry is set toa value greater than zero, WebSEAL reuses its TCP/IP session with the junctionedback-end server. If the junctioned back-end server closes the socket at the sametime that WebSEAL starts to use this session to send a request, the request fails.

To send the request again, WebSEAL opens a new TCP/IP session. If the requestbody is larger than the size that WebSEAL can cache, WebSEAL fails to resend therequest and generates a 500 error.

Options

number_of_secondsInteger value that indicates the maximum number of seconds a persistentconnection can remain idle in a cache before the connection is closed byWebSEAL. The minimum value is 1. WebSEAL does not impose amaximum value.

Usage


Default value

5

Examplepersistent-con-timeout = 5

ping-method

Syntaxping-method = method

Description

The WebSEAL server performs a periodic background ping of each junctioned Webserver, to determine whether it is running. The optional ping-method entry setsthe HTTP request type used in these pings. The valid options include any validHTTP request method (for example, HEAD or GET, for HTTP HEAD and HTTPGET requests respectively).

This configuration item may be customized for a particular junction by adding theadjusted configuration item to a [junction:{junction_name}] stanza.



Options

method Perform a HTTP request using the specified method to determine the stateof the junctioned server.

Usage

None.

Default value

HEAD

ping-method = GET

ping-time

Syntaxping-time = number_of_seconds

Description

Integer value indicating the number of seconds between pings issued by theWebSEAL server. The pings are issued periodically in the background to verify thatjunctioned WebSEAL servers are running.

If the server is deemed not running, the recovery-ping-time value determines theinterval at which pings are sent until the server is running. The type of ping usedis determined by the ping-method value. HTTP response code rules can be definedusing the response-code-rules configuration entry.

Options

number_of_secondsInteger value indicating the number of seconds between pings issued bythe WebSEAL server. The minimum value is 1. WebSEAL does not imposea maximum value.

Usage

To turn this ping off, set this entry to zero. If this entry is set to zero, therecovery-ping-time must be set.

Default value

300

Exampleping-time = 300

ping-uri

Syntaxping-uri = uri


Description

The WebSEAL server performs a periodic background ping of each junctioned Webserver to determine whether it is running. The optional ping-uri configurationentry defines the URI that is accessed by the ping request. The defined URI isrelative to the root Web space of the junctioned Web server. If the URI is missing,this value defaults to a /.



Options

uri The URI that is accessed by the ping request.

Usage


Default value

/

ping-uri = /apps/status

recovery-ping-time

Syntaxrecovery-ping-time = 300

Description

The WebSEAL server performs a periodic background ping of each junctioned Webserver, to determine whether it is running. This entry sets the interval, in seconds,between pings when the server is determined to be not running.

Options

number_of_secondsInteger value indicating the number of seconds between pings issued bythe WebSEAL server to a junctioned server that is determined to be notrunning. The minimum value is 1. WebSEAL does not impose a maximumvalue.

Usage

If this entry is not set, the recovery-ping-time defaults to the ping-time value.

Default value

300

Examplerecovery-ping-time = 300


reprocess-root-jct-404s

Syntaxreprocess-root-jct-404s = {yes|no}

Description

Used to reprocess requests for root junction resources that result in an HTTP 404error.

The dont-reprocess-jct-404s entry (also in the [junction] stanza) can be set to yesto avoid multiple attempts to prepend a junction point to the beginning of the URLstring when reprocessing requests that have resulted in an HTTP 404 status code.

WebSEAL determines whether the request is already known to be for a non-localjunction.However, WebSEAL fails to add a junction point when requests have beenmade for a root junction created at "/". To modify this behavior and cause requestsfor root junction resources that result in an HTTP 404 error to be reprocessed, youcan use this reprocess-root-jct-404s stanza entry.

Options

yes Cause requests for root junction resources that result in an HTTP 404 errorto be reprocessed regardless of the setting of the dont-reprocess-jct-404sentry (also in the [junction] stanza).

no The value for the dont-reprocess-jct-404s entry (also in the [junction]stanza) will determine whether root junction requests that result in anHTTP 404 error are reprocessed. That is, if the value fordont-reprocess-jct-404s is no then the HTTP 404 errors will still bereprocessed.

Usage


Default value

no

Examplereprocess-root-jct-404s = yes

reset-cookies-list

Syntaxreset-cookies-list = list

Description

Determines which cookies are reset when the user session is logged out. Therequest received from the client and the response sent back to the client are bothexamined for matching cookies.




Options

list A comma-separated list of patterns. WebSEAL will reset any cookies withnames that match the patterns in this list.

Usage


Default value

nil

reset-cookies-list = JSESS*,Ltpa*

response-code-rules

Syntaxresponse-code-rules = list

Description

The WebSEAL server performs a periodic background ping of each junctioned Webserver to determine whether it is running. The optional response-code-rulesconfiguration entry defines the rules that are used to determine whether HTTPresponses indicate a healthy or an unhealthy junctioned Web server.

The configuration entry contains a space separated list of rules. Each rule has theformat: [+|-]<code> (e.g. -50?)

where:

+ Indicates that this is a healthy response code.

- Indicates that this is an unhealthy response code.

<code>The corresponding response code, which can also contain pattern matchingcharacters such as * and ?

The HTTP response codes are evaluated against each rule in sequence until amatch is found. The corresponding code (+|-) determines whether the junctionedWeb server is healthy or not.If the response code matches no configured rules, thejunctioned Web server is considered healthy.



Options

list A space separated list of response code rules. These rules determinewhether the response from a junctioned Web server indicates a healthy oran unhealthy server.


Usage


Default value

nil

response-code-rules = +2?? -*

share-cookies

Syntaxshare-cookies = {yes|no}

Description

The share-cookies item is used to control whether the cookie jar will be sharedacross different junctions or whether each junction will have a dedicated cookie jar.

Options

yes If this entry is set to yes, cookies will be sent over all junctions, regardlessof the junction from which the cookie originated.

no If this entry is set to no, only cookies received from the junction will besent in requests to that junction.

Usage


Default value

no

Exampleshare-cookies = yes

support-virtual-host-domain-cookies

Syntaxsupport-virtual-host-domain-cookies = {yes|no}

Description

If allow-backend-domain-cookies is set to yes, then this option modifies howWebSEAL validates the domain. This option has no effect if validate-backend-domain-cookies = no.




Options

yes If set to "yes" then the domain cookie is validated by comparing it with thevirtual host specified for a backend server with the -v junction option.

no If set to "no", or if no virtual host was specified for a junction, then thefully qualified host name is compared with the domain value of a backendcookie for validation.

Usage


Default value

yes

support-virtual-host-domain-cookies = yes

use-new-stateful-on-error

Syntaxuse-new-stateful-on-error = {yes|no}

Description

Control how WebSEAL responds to a stateful server that becomes unavailable.

This configuration item may be customized for a particular junction by adding theadjusted configuration item to a [junction:{junction_name}] stanza.

where {junction_name} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction. Forexample:[junction:/WebApp]

Options

yes When set to "yes" and the original server becomes unavailable during asession, WebSEAL directs the user's next request (containing the originalstateful cookie) to a new replica server on the same stateful junction. If anew replica server is found on that stateful junction, and is responsive tothe request, WebSEAL sets a new stateful cookie on the user's browser.Subsequent requests during this same session (and containing the newstateful cookie) are directed to this same new server.

no When set to "no" and the original server becomes unavailable during asession, WebSEAL does not direct the user's subsequent requests to a newreplica server on the same stateful junction. Instead, WebSEAL returns anerror and attempts to access the same server for subsequent requests bythe user during this session.

Usage



Default value

no

Exampleuse-new-stateful-on-error = yes

validate-backend-domain-cookies

Syntaxvalidate-backend-domain-cookies = {yes|no}

Description

Specifies how WebSEAL validates the domain.



Options

yes If set to "yes" then domain cookies that adhere to the cookie specificationare forwarded to the user. If the fully qualified host name of theoriginating back-end machine is the domain, then the cookie is forwardedto the user with no domain specified.

no If set to "no", then all domain cookies are forwarded to the user, regardlessof their content.

Usage


Default value

yes

validate-backend-domain-cookies = yes

worker-thread-hard-limit

Syntaxworker-thread-hard-limit = number_of_threads

Description

Integer value indicating the limit, expressed as a percentage, of the total workerthreads that are to be used for processing requests for junctions.

Options

number_of_threads


Integer value indicating the limit, expressed as a percentage, of the totalworker threads that are to be used for processing requests for junctions.The default value of 100 means that there is no limit.

When the value of worker-thread-hard-limit is less than 100, and the limitis exceeded, WebSEAL generates an error message.

Usage


Default value

100

Exampleworker-thread-hard-limit = 100

worker-thread-soft-limit

Syntaxworker-thread-soft-limit = number_of_threads

Description

Integer value indicating the limit, expressed as a percentage, of the total workerthreads that are to be used for processing requests for junctions.

Options

number_of_threads

Integer value indicating the limit, expressed as a percentage, of the totalworker threads that are to be used for processing requests for junctions.

When the value of worker-thread-soft-limit is less than 100, and the limitis exceeded, WebSEAL generates a warning message.

Usage


Default value

90

Exampleworker-thread-soft-limit = 90

disable-local-junctionsWebSEAL can serve pages from a local web server through local junctions.

Syntax

disable-local-junctions = {yes|no}


Description

If local junctions are not used, you can disable the functionality with thedisable-local-junctions configuration item.

Options

yes Disables local junction functionality.

no Enables local junction functionality.

Usage

Optional.

The following example enables local junction functionality:disable-local-junctions=no

[junction:junction_name] stanza

Note: This stanza is optional and must be manually inserted into the WebSEALconfiguration file. The junction_name in the stanza name is the junction point for astandard junction (including the leading / character) or the virtual host label for avirtual host junction. For details about the configuration entries supported in thisjunction specific stanza, see the description of the corresponding configurationentry in the [junction] stanza.

[ldap] stanza

auth-timeout

Syntaxauth-timeout = value{0|number_seconds}

Description

Amount of time (in seconds) that will be allowed for authentication operationsbefore the LDAP server is considered to be down. If specified, this value overridesany value of timeout for authentication operations.

Note: Do not specify this parameter in the ldap.conf server configuration file.

Options

0 No timeout is allowed.

number_secondsThe specified number of seconds allowed for authentication operations,specified as an integer positive whole number. There is no range limitationfor timeout values.

Usage



Default value

0

Exampleauth-timeout = 0

auth-using-compare

Syntaxauth-using-compare = {yes|true|no|false}

Description

Enables or disables authentication using password comparison. When disabled,authentication using LDAP bind is performed.

For those LDAP servers that allow it, a compare operation might perform fasterthan a bind operation.

Options

yes|trueA password compare operation is used to authenticate LDAP users.

no|falseA bind operation is used to authenticate LDAP users.

Usage


Default value

The default value, when LDAP is enabled, is yes.

Exampleauth-using-compare = yes

bind-dn

Syntaxbind-dn = LDAP_DN

Description

LDAP user distinguished name (DN) that is used when binding (or signing on) tothe LDAP server. This is the name that represents the WebSEAL server daemon.

Options

LDAP_DNLDAP user distinguished name (DN) that is used when binding (or signingon) to the LDAP server.


Usage

This stanza entry is required when LDAP is enabled.

Default value

The default value is built by combining the daemon name webseald with thehost_name that was specified by the administrator during the configuration of theSecurity Access Manager runtime component.

Examplebind-dn = cn=webseald/surf,cn=SecurityDaemons,secAuthority=Default

bind-pwd

Syntaxbind-pwd = LDAP_password

Description

Password for the LDAP user distinguished name declared in the bind-dn stanzaentry.

Options

LDAP_passwordPassword for the LDAP user distinguished name declared in the bind-dnstanza entry.

Usage


Default value

The default value of this stanza entry is set during WebSEAL configuration. TheWebSEAL configuration reads the LDAP_password that was specified by theadministrator during the configuration of the Security Access Manager runtimecomponent. This value is read from the Security Access Manager configuration file,pd.conf.

Examplebind-pwd = zs77WVoLSZn1rKrL

cache-enabled

Syntaxcache-enabled = {yes|true|no|false}

Description

Enable and disable LDAP client-side caching.


Options

yes|trueEnable LDAP client-side caching.

no|falseDisable LDAP client-side caching. Anything other than yes|true, includinga blank value, is interpreted as no|false.

Usage


Default value

yes

Examplecache-enabled = yes

cache-group-expire-time

Syntaxcache-group-expire-time = number_of_seconds

Description

Specifies the amount of time to elapse before a group entry in the cache isdiscarded.

This entry is used only when cache-enabled = {yes|true}.

Options

number_of_secondsSpecifies the amount of time to elapse before a group entry in the cache isdiscarded.

Usage


Default value

There is no default value, but when not set the default value used is 300 seconds.

Examplecache-group-expire-time = 300

cache-group-membership

Syntaxcache-group-membership = {yes|no}


Description

Indicates whether group membership information should be cached.

This entry is used only when cache-enabled = {yes|true}

Options

yes Cache group membership information.

no Do not cache group membership information.

Usage


Default value

There is no default value, but when not set the group information is cached.

Examplecache-group-membership = yes

cache-group-size

Syntaxcache-group-size = number

Description

Specifies the number of entries in the LDAP group cache.


Options

numberSpecifies the number of entries in the LDAP group cache.

Usage


Default value

There is no default value, but when not set the default value used is 64.

Examplecache-group-size = 64

cache-policy-expire-time

Syntaxcache-policy-expire-time = number_of_seconds


Description

Specifies the amount of time to elapse before a policy entry in the cache isdiscarded.


Options

number_of_secondsSpecifies the amount of time to elapse before a policy entry in the cache isdiscarded.

Usage


Default value


Examplecache-policy-expire-time = 30

cache-policy-size

Syntaxcache-policy-size = number

Description

Specifies the number of entries in the LDAP policy cache.


Options

numberSpecifies the number of entries in the LDAP policy cache.

Usage


Default value


Examplecache-policy-size = 20

cache-return-registry-id

Syntaxcache-return-registry-id = no


Description

Indicates whether to cache the user identity as it is stored in the registry or cachethe value as entered during authentication. Ignored if the cache is not enabled. Ifnot set, the default is no.

Options

yes Cache the user identity as it is stored in the registry.

no cache the user identity as it was entered during authentication.

Usage


Default value

no

Examplecache-return-registry-id = no

cache-user-expire-time

Syntaxcache-user-expire-time = number_of_seconds

Description

Specifies the amount of time to elapse before a user entry in the cache is discarded.


Options

number_of_secondsSpecifies the amount of time to elapse before a user entry in the cache isdiscarded.

Usage


Default value


Examplecache-user-expire-time = 30

cache-user-size

Syntaxcache-user-size = number


Description

Specifies the number of entries in the LDAP user cache.


Options

number

Specifies the number of entries in the LDAP user cache.

Usage


Default value


Examplecache-user-size = 256

cache-use-user-cache

Syntaxcache-use-user-cache = {yes|no}

Description

Indicates whether to use the user cache information or not.

This entry is used only when cache-enabled = {yes|true}

Options

yes Use the user cache information.

no Do not use the user cache information.

Usage


Default value

There is no default value, but when not set the user cache information is used.

Examplecache-use-user-cache = yes

default-policy-override-support

Syntaxdefault-policy-override-support = {yes|true|no|false}


Description

Indicates whether default policy overrides user level policy during LDAP searches.When this stanza entry is set to yes, only the default policy is checked.

Options

yes|trueUser policy support is disabled and only the global (default) policy ischecked. This option allows the user policy to be ignored, even when it isspecified.

no|falseUser policy support is enabled. When a user policy is specified by theadministrator, it overrides the global policy.

Usage


Default value

By default, the value is not specified during WebSEAL configuration. When thevalue is not specified, the default behavior is enable user policy support. This isequivalent to setting this stanza entry to no.

Exampledefault-policy-override-support = yes

enabled

Syntaxenabled = {yes|true|no|false}

Description

Indicates whether or not LDAP is being used as the user registry.

Options

yes|trueEnable LDAP user registry support.

no|falseDisables LDAP user registry support and indicates that LDAP is not theuser registry being used. Anything other than yes|true, including a blankvalue, is interpreted as no|false,

Usage

This stanza entry is required when LDAP is the user registry.

Default value

The default value is always taken (during WebSEAL initialization) from thecorresponding parameter in the [ldap] stanza of the ldap.conf configuration filefor the LDAP server.


Exampleenabled = yes

host

Syntaxhost = host_name

Description

Host name of the LDAP server.

Options

host_nameValid values for host_name include any valid IP host name. The host_namedoes not have to be a fully qualified domain name.

Usage


Default value


Examplehost = diamondhost = diamond.example.com

login-failures-persistent

Syntaxlogin-failures-persistent = {yes|true|no|false}

Description

When set to "yes", login hits are tracked in the registry instead of only in the localprocess cache.

Persistent login hit recording impacts performance but allows consistent login hitcounting across multiple servers.

Options

yes|trueWhen set to "yes", login hits are tracked in the registry instead of only inthe local process cache.

no|falseWhen set to "no", login hits are not tracked in the registry instead of onlyin the local process cache.


Usage


Default value

The value is not specified by default during WebSEAL configuration. When thevalue is not specified, the default value is no.

Examplelogin-failures-persistent = yes

max-search-size

Syntaxmax-search-size = {0|number_entries}

Description

Limit for the maximum search size, specified as the number of entries, that can bereturned from the LDAP server. The value for each server can be different,depending on how the server was configured.

Options

0 The number is unlimited; there is no limit to the maximum search size.

number_entriesThe maximum number of entries for search, specified as an integer wholenumber. This value can be limited by the LDAP server itself.

Usage


Default value


Examplemax-search-size = 2048

prefer-readwrite-server

Syntaxprefer-readwrite-server = {yes|true|no|false}

Description

Allows or disallows the client to question the Read/Write LDAP server beforequerying any replica Read-only servers configured in the domain.


Options

yes|trueEnable the choice.

no|falseDisable the choice. Anything other than yes|true, including a blank value,is interpreted as no|false.

Usage


Default value

no

Exampleprefer-readwrite-server = no

port

Syntaxport = port_number

Description

Number of the TCP/IP port used for communicating with the LDAP server. Notethat this is not for SSL communication.

Options

port_numberA valid port number is any positive integer that is allowed by TCP/IP andthat is not currently being used by another application.

Usage


Default value


Exampleport = 389

replica

Syntaxreplica = ldap-server, port, type, pref


Description

Definition of the LDAP user registry replicas in the domain.

Security Access Manager supports a maximum of one host and nine LDAP replicaservers, which are listed in the ldap.conf file. If more than nine LDAP replicaentries are listed, the Security Access Manager servers cannot start.

Options

ldap-serverThe network name of the server.

port The port number for the LDAP server. A valid port number is any positivenumber that is allowed by TCP/IP and that is not currently being used byanother application.

type One of read-only or read/write.

pref A number from 1 to 10 (10 is the highest preference).

Usage


Default value

Default value is that no replicas are specified.

Any value is always taken during WebSEAL initialization from the correspondingparameter in the [ldap] stanza of the ldap.conf configuration file for the LDAPserver.

Example

Example of one replica specified and two replicas commented out:replica = rep1,390,readonly,1#replica = rep2,391,readwrite,2#replica = rep3,392,readwrite,3

search-timeout

Syntaxsearch-timeout = {0|number_seconds}

Description

Amount of time (in seconds) that will be allowed for search operations before theLDAP server is considered to be down. If specified, this value overrides any valueof timeout for search operations.


Options



number_secondsThe specified number of seconds allowed for search operations, specifiedas an integer positive whole number. There is no range limitation fortimeout values.

Usage


Default value

0

Examplesearch-timeout = 0

ssl-enabled

Syntaxssl-enabled = {yes|true|no|false}

Description

Enables or disables SSL communication between WebSEAL and the LDAP server.

Options

yes|trueEnable SSL communication.

no|falseDisable SSL communication.

Usage


Default value

SSL communication is disabled by default. During WebSEAL server configuration,the WebSEAL administrator can choose to enable it.

Examplessl-enabled = yes

ssl-keyfile


Description

SSL key file name. The SSL key file handles certificates that are used in LDAPcommunication.


Options

file_nameThe WebSEAL administrator specifies this file name during WebSEALconfiguration. The file name can be any arbitrary choice, but the extensionis usually .kdb.

Usage

This stanza entry is required when SSL communication is enabled, as specified inthe ssl-enabled stanza entry.

Default value

None.

Example

Example:ssl-keyfile = webseald.kdb

ssl-keyfile-dn

Syntaxssl-keyfile-dn = key_label

Description

String that specifies the key label of the client personal certificate within the SSLkey file. This key label is used to identify the client certificate that is presented tothe LDAP server.

Options

key_labelString that specifies the key label of the client personal certificate withinthe SSL key file.

Usage

This stanza entry is optional. A label is not required when one of the certificates inthe keyfile has been identified as the default certificate. The decision whether toidentify a certificate as the default was made previously by the LDAPadministrator when configuring the LDAP server. The WebSEAL configurationutility prompts the WebSEAL administrator to supply a label. When theadministrator knows that the certificate contained in the keyfile is the defaultcertificate, the administrator does not have to specify a label.

Default value

None.

Examplessl-keyfile-dn = "PD_LDAP"


ssl-keyfile-pwd

Syntaxssl-keyfile-pwd = password

Description

Password to access the SSL key file.

Options

passwordPassword to access the SSL key file. The WebSEAL administrator specifiesthis password during WebSEAL configuration. The password associatedwith the default SSL keyfile is gsk4ikm

Usage

Deprecated: The ssl-keyfile-pwd entry is deprecated in the [ldap] stanza. Althoughthis entry might exist in a configuration file, it will be ignored.

Default value

None.

Examplessl-keyfile-pwd = gsk4ikm

ssl-port

Syntaxssl-port = port_number

Description

SSL IP port that is used to connect to the LDAP server. Note that this is for SSLcommunication.

Options

port_numberA valid port number is any positive number that is allowed by TCP/IPand that is not currently being used by another application.

Usage

This stanza entry is required only when LDAP is enabled and the LDAP server isconfigured to perform client authentication (ssl-enabled = yes).

Default value



Examplessl-port = 636

timeout

Syntaxtimeout = {0|number_seconds}

Description

Amount of time (in seconds) that is allowed for authentication or search operationsbefore the LDAP server is considered to not available. If specified, a value for thestanza entries authn-timeout or search-timeout overrides the value of this stanzaentry.


Options


number_secondsThe number of seconds allowed for authentication or search, specified as apositive integer whole number. There is no range limitation for timeoutvalues.

Usage


Default value

0

Exampletimeout = 0

user-and-group-in-same-suffix

Syntaxuser-and-group-in-same-suffix = {yes|true|no|false}

Description

Indicates whether the groups, in which a user is a member, are defined in the sameLDAP suffix as the user definition.

When a user is authenticated, the groups in which the user is a member must bedetermined in order to build a credential. Normally, all LDAP suffixes are searchedto locate the groups of which the user is a member.

Options

yes|trueThe groups are assumed to be defined in same LDAP suffix as the userdefinition. Only that suffix is searched for group membership. This


behavior can improve the performance of group lookup because only asingle suffix is searched for group membership. This option should only bespecified if group definitions are restricted to the same suffix as the userdefinition.

no|falseThe groups might be defined in any LDAP suffix.

Usage


Default value

The value is not specified by default during WebSEAL configuration. When thevalue is not specified, the default value is no.

Exampleuser-and-group-in-same-suffix = yes

[local-response-macros] stanza

macro

Syntaxmacro = macro[:name]

Description

URL-encoded macros to include in the query string for all redirected managementpage requests. WebSEAL provides a default set of macros.

By default, WebSEAL uses the macro values as arguments in the generated querystring. Alternatively, you can customize the name of the arguments used in thequery string by adding a colon followed by a name value.

Options

macro URL-encoded macro.

name WebSEAL uses this custom name as an argument in the response URI. Ifyou do not provide a value for this custom name then WebSEAL defaults tousing the macro value as an argument in the response URI.

Note: For the HTTPHDR macro, the default value is HTTPHDR_<name>,where <name> is the name of the HTTP header defined in the macro. Forthe CREDATTR macro, the default value is CREDATTR_<name>, where<name> is the name of the attribute defined in the macro.

Usage


Default value

None.


Example

The following entry causes WebSEAL to use the default value USERNAME as anargument in the query string.macro = USERNAME

The following entry causes WebSEAL to use the custom value myUserName as anargument in the query string.macro = USERNAME:myUserName

[local-response-redirect] stanza

local-response-redirect-uri

Syntaxlocal-response-redirect-uri = URI

Description

URL to which management page requests are redirected.

All requests for management pages are redirected to this URL with a query stringindicating the operation requested, along with any macros (as configured in the[local-response-macros] stanza).

You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [local-response-redirect:{junction_name}] stanza.


Options

URI URL to which management page requests are redirected.

Usage


Default value

None.

Example of a server relative URL:local-response-redirect-uri = /jct/page.html

Example of an absolute URL:local-response-redirect-uri = http://www.example.com/


[logging] stanza

absolute-uri-in-request-log

Syntaxabsolute-uri-in-request-log = {yes|no}

Description

Log the absolute URI in the request log, combined log, and HTTP audit records.Adds protocol and host to the path.

Options

yes Log the absolute URI.

no Do not log the absolute URI.

Usage


Default value

no

Exampleabsolute-uri-in-request-log = no

agents

Syntaxagents = {yes|no}

Description

Enables or disables the agents log. This log records the contents of the User_Agent:header of each HTTP request.

Options

yes The value yes enables agents logging.

no The value no disables agents logging.

Usage


Default value

yes

Exampleagents = yes


audit-mime-types

Syntaxmime-pattern = {yes|no}

Description

Determines whether WebSEAL will generate an audit event for an HTTP requestbased on the content-type of the HTTP response.

Options

yes WebSEAL will generate an audit event for a response that contains thecorresponding content MIME-type.

no WebSEAL will not generate an audit event for a response that contains thecorresponding content MIME-type.

Usage


Note:

1. More specific MIME patterns take precedence over less specific MIME patterns.For example, if image/* = yes (general) but image/jpeg = no (more specific),then an HTTP response with an image MIME-type other than JPEG willgenerate an audit event; a response with a JPEG MIME-type will not generatean audit event.

2. If an HTTP response does not match any of the MIME patterns listed in thisstanza, WebSEAL will generate an audit event.

Default value

None

Exampleimage/jpeg = noimage/* = no*/* = no

audit-response-codes

Syntaxcode = {yes|no}

Description

Determines whether WebSEAL will generate an audit event for an HTTP requestbased on the response code of the HTTP response.

Options

yes WebSEAL will generate an audit event for an HTTP response that matchesthe corresponding response code.

no WebSEAL will notgenerate an audit event for an HTTP response thatmatches the corresponding response code.


Usage


Default value

None.

Example200 = no304 = no401 = yes

flush-time

Syntaxflush-time = number_of_seconds

Description

Integer value indicating the frequency, in seconds, to force a flush of log buffers.

Options

number_of_secondsInteger value indicating the frequency, in seconds, to force a flush of logbuffers. The minimum value is 1 second. The maximum value is 600seconds.

Usage


Default value

20

Exampleflush-time = 20

gmt-time

Syntaxgmt-time = {yes|no}

Description

Enables or disables logging requests using Greenwich Mean Time (GMT) instead ofthe local timezone.

Options

yes A value of yes means to use GMT

no A value of no means to use the local timezone.


Usage


Default value

no

Examplegmt-time = no

host-header-in-request-log

Syntaxhost-header-in-request-log = {yes|no}

Description

Log the Host header at the front of each line in the request log and the combinedlog.

Options

yes Log the Host header.

no Do not log the Host header.

Usage


Default value

no

Examplehost-header-in-request-log = no

log-invalid-requests

Syntaxlog-invalid-requests = {yes|no}

Description

Specifies whether or not WebSEAL logs all requests that are malformed or forsome other reason is not processed to completion.

Options

yes WebSEAL logs every request, even if a request is malformed or for someother reason is not processed to completion.

no WebSEAL logs most requests. In some cases, requests that are malformedor for some other reason are not processed to completion will not belogged. This option exists for compatibility with versions of WebSEALprior to version 6.0.


Usage


Default value

yes

Examplelog-invalid-requests = yes

max-size

Syntaxmax-size = number_of_bytes

Description

Integer value indicating the size limit of the log files. This value applies to therequest, referer, and agent logs. The size limit is also referred to as the rolloverthreshold. When the log file reaches this threshold, the original log file is renamedand a new log file with the original name is created.

Options

number_of_bytes

When the value is zero (0), no rollover log file is created.

When the value is a negative integer, the logs are rolled over daily,regardless of the size.

When the value is a positive integer, the value indicates the maximum size,in bytes, of the log file before the rollover occurs. The allowable range isfrom 1 byte to 2 gigabytes.

Usage


Default value

2000000

Examplemax-size = 2000000

referers

Syntaxreferers = {yes|no}

Description

Enables or disables the referers log. This log records the Referer: header of eachHTTP request.


Options

yes The value yes enables referers logging.

no The value no disables referers logging.

Usage


Default value

yes

Examplereferers = yes

requests

Syntaxrequests = {yes|no}

Description

Enables or disables the requests log. This log records standard logging of HTTPrequests.

Options

yes The value yes enables requests logging.

no The value no disables requests logging.

Usage


Default value

yes

Examplerequests = yes

request-log-format

Syntaxrequest-log-format = directives

Description

Contains the format in which a customized request log should be created. See theIBM Security Access Manager for Web: Auditing Guide for more information.

Options

The following directives can be used:


%a Remote IP Address.

%A Local IP Address.

%b Bytes in the reply excluding HTTP headers in CLF format: '-' instead of 0when no bytes are returned.

%B Bytes in the reply excluding HTTP headers.

%{Attribute}CAttribute from the Security Access Manager credential named 'Attribute'.

%d Transaction identifier, or session sequence number.

%F Time taken to serve the request in microseconds.

%h Remote host.

%H Request protocol.

%{header-name}iContents of the Header header-name in the request.

%j The name of the junction in the request.

%l Remote logname.

%m Request method (that is, GET, POST, HEAD).

%{header-name}oContents of the Header header-name in the reply.

%p Port of the WebSEAL server the request was served on.

%q The query string (prepended with '?' or empty).

%Q Logs raw query strings that the user must decode manually.

%r First line of the request.

%R First line of the request including HTTP://HOSTNAME.

%s Status.

%t Time and date in CLF format.

%{format}tThe time and date in the given format.

%T Time taken to serve the request in seconds.

%u Remote user.

%U The URL requested.

%v Canonical ServerName of the server serving the request.

%z The path portion of the URL in decoded form.

%Z The path portion of the URL in raw form.

Usage

The request-log-format string CANNOT contain the # character.

Default value

The default of this parameter is equivalent to the normal default log output. It iscommented out by default.


Example

Example on UNIX or Linux:request-log-format = %h %l %u %t "%r" %s %b

server-log-cfg

Syntaxserver-log-cfg = agent [parameter=value],[parameter=value]...

Description

Configures the server for logging. You can use the available parameters toconfigure the logging agents.

Options

agent Specifies the logging agent. The agent controls the logging destination forserver events. Valid agents include:v stdout

v stderr

v file

v remote

v rsyslog

Note: If you use the remote agent to send audit events to a remoteauthorization server, ensure that the destination server is configured toprocess the received events. In particular, the logcfg configuration entry inthe aznapi-configuration stanza must be set on the remote authorizationserver. You must use the following format for the category value in thislogcfg entry:remote.webseal.hostname.webseald

where

hostnameThe name of the appliance that originated the event.

For example, the following entry configures the remote authorizationserver to accept logging events from the iswga.au.ibm.com server, and sendthese events to the event.log file:logcfg = remote.webseal.iswga.au.ibm.com.webseald:file path=/var/PolicyDirector/log/event.log

The remote authorization server discards any events that originate from aserver for which there is no matching logcfg rule.

parameterThe different agents support the following configuration parameters:

Table 1. Logging agent configuration parameters

Parameter Supporting agents

buffer_size remote

compress remote


Table 1. Logging agent configuration parameters (continued)


dn remote

error_retry remote, rsyslog

flush_interval all

hi_water all

log_id file, rsyslog

max_event_len rsyslog

mode file

path all

port remote, rsyslog

queue_size all

rebind_retry remote, rsyslog

rollover_size file

server remote, rsyslog

ssl_keyfile rsyslog

ssl_label rsyslog

ssl_stashfile rsyslog

Note: For a complete description of the available logging agents and thesupported configuration parameters, see the Security Access Manager: AuditingGuide.

Usage


Default value

None.

Example

To log server events in a file called msg__webseald.log:server-log-cfg = file path=msg__webseald.log

To send server events to a remote syslog server:server-log-cfg = rsyslog server=timelord,port=514,log_id=webseal-instance

[ltpa] stanza

Accept and generate LTPA cookies for authentication.

ltpa-auth

Syntaxltpa-auth = {https|https|both|none}


Description

Enables support for LTPA cookie generation and authentication.

Options

http Enables support for http cookies.

https Disables support for https cookies.

both Enables support for both http and https cookies.

none Disables support for both http and https cookies.

Usage


Default value

none

Exampleltpa-auth = https

cookie-name

Syntaxcookie-name = cookie_name

Description

The name of the LTPA cookie that WebSEAL issues to clients.

Options

cookie_nameThis must be Ltpatoken2 as only LTPA version 2 cookies are supported.

Usage


Default value

Ltpatoken2

Examplecookie-name = Ltpatoken2

cookie-domain

Syntaxcookie-domain = domain_name


Description

The domain of the LTPA cookie that WebSEAL issues to clients. If you do notspecify a cookie domain, WebSEAL creates the LTPA cookie as a host-only cookie.

Options

domain_nameThe domain of the LTPA cookie.

Usage


Default value

none

Examplecookie-domain = ibm.com

jct-ltpa-cookie-name

Syntaxjct-ltpa-cookie-name = cookie_name

Description

The name of the cookie containing the LTPA token that WebSEAL sends across thejunction to the backend server. If you do not specify a value for this item,WebSEAL uses the following default values:v LtpaToken for cookies containing LTPA tokens.v LtpaToken2 for cookies containing LTPA version 2 tokens.

WebSphere also uses these default values.

Options

cookie_nameThis name must match the LTPA cookie name that the WebSphereapplication uses on this junction.

Usage


Default value

The default value for LTPA tokens is LtpaToken.

The default value for LTPA2 tokens is LtpaToken2.

Examplejct-ltpa-cookie-name = myCookieName


keyfile

Syntaxkeyfile = keyfile_name

Description

The key file used when accessing LTPA cookies. The value must correspond to avalid LTPA key file, as generated by WebSphere.

Options

keyfile_nameName of a valid LTPA key file, as generated by WebSphere.

Usage


Default value

none

Examplekeyfile = keyfile123

update-cookie

Syntaxupdate-cookie = number_of_seconds

Description

The number of seconds that pass between updates of the LTPA cookie with thelifetime of the cookie.With each request, if n seconds have passed since the lastcookie update, another update will occur. A zero value will cause the lifetimetimestamp in the LTPA cookie to be updated with each request.Negative valueswill cause the lifetime of the cookie to be set to the same value as the lifetime ofthe user session.This setting is used in an attempt to mimic the inactivity timeoutof a user session.

Note: This configuration entry affects the LTPA cookie that WebSEAL issues toclients. It is the lifetime of the cookie specified by the cookie-name configurationentry in the [ltpa] stanza.

Options

number_of_secondsThe number of seconds that pass between updates of the LTPA cookie withthe lifetime of the cookie.

Usage



Default value

-1

Exampleupdate-cookie = 0

use-full-dn

Syntaxuse-full-dn = {true|false}

Description

Controls whether the generated LTPA cookie contains the full DN of the user, orthe Security Access Manager short name of the user.

Options

true WebSEAL inserts the full DN of the user into the LTPA cookie.

false WebSEAL inserts the Security Access Manager short name of the user intothe LTPA cookie.

Usage


Default value

true

Exampleuse-full-dn = true

[ltpa-cache] stanza

ltpa-cache-enabled

Syntaxltpa-cache-enabled = {yes|no}

Description

Enables or disables the Lightweight Third Party Authentication cache.

Options

yes A value of yes enables caching.

no A value of no disables caching.

Usage



Default value

yes

Exampleltpa-cache-enabled = yes

ltpa-cache-entry-idle-timeout

Syntaxltpa-cache-entry-idle-timeout = number_of_seconds

Description

Integer value that specifies the timeout, in seconds, for cache entries that are idle.

Options

number_of_secondsInteger value that specifies the timeout, in seconds, for cache entries thatare idle. The value must be greater than or equal to zero (0). A value ofzero means that entries are not removed from the LTPA cache due toinactivity. However, they may still be removed due to either theltpa-cache-size being exceeded or the ltpa-cache-entry-lifetime stanzaentry being exceeded. WebSEAL does not impose a maximum value.

Usage

This stanza entry is required, but is ignored when LTPA caching is disabled.

Default value

600

Examplegso-cache-entry-idle-timeout = 600

ltpa-cache-entry-lifetime

Syntaxltpa-cache-entry-lifetime = number_of_seconds

Description

Integer value that specifies the lifetime, in seconds, of a LTPA cache entry.

Options

number_of_secondsInteger value that specifies the lifetime, in seconds, of a LTPA cache entry.The value must be greater than or equal to zero (0). A value of zero meansthat entries are not removed from the LTPA cache due to their entrylifetime being exceeded. However, they may still be removed due to eitherthe ltpa-cache-size being exceeded or the ltpa-cache-entry-idle-timeoutstanza entry being exceeded. WebSEAL does not impose a maximumvalue.


Usage


Default value

3600

Exampleltpa-cache-entry-lifetime = 3600

ltpa-cache-size

Syntaxltpa-cache-size = number_of_entries

Description

Integer value indicating the number of entries allowed in the LTPA cache.

Options

number_of_entries

Integer value indicating the number of entries allowed in the LTPA cache.The value must be greater than or equal to zero (0). A value of zero meansthat there is no limit on the size of the LTPA cache. This is notrecommended.

WebSEAL does not impose a maximum value. Choose your maximumvalue to stay safely within the bounds of your available system memory.

Usage


Default value

4096

Exampleltpa-cache-size = 4096

[mpa] stanza

mpa

Syntaxmpa = {yes|no}

Description

Enables support for multiplexing proxy agents.


Options

yes Enables support for multiplexing proxy agents.

no Disables support for multiplexing proxy agents.

Usage


Default value

no

Examplempa = no

[oauth-eas] stanza

Notes:

v You can configure this stanza to support OAuth authorization decisions as partof WebSEAL requests. For more information about OAuth authorizationdecisions support, see the IBM Security Web Gateway Appliance: ConfigurationGuide for Web Reverse Proxy.

v The OAuth EAS is used for a particular object if the effective POP for the objecthas an attribute called eas-trigger, with an associated value oftrigger_oauth_eas.

apply-tam-native-policy

Syntaxapply-tam-native-policy = {true | false}

Description

Determines whether the native Security Access Manager ACL policy still takeseffect, in addition to the OAuth authorization.

Options

true The OAuth EAS checks with Security Access Manager whether the userhas permission to access the resource based on the ACL policy.

false The OAuth EAS does not check the Security Access Manager ACL policyto determine whether the user has permission to access the resource.

Usage

This stanza entry is required when configuring OAuth EAS authentication.

Default value

None.

Exampleapply-tam-native-policy = false


bad-gateway-rsp-file

Syntaxbad-gateway-rsp-file = <file_name>

Description

Specifies the file that contains the body that is used when constructing a 502 BadGateway response. This response is generated when Tivoli Federated IdentityManager fails to process the request.

Options

<file_name>The name of the 502 Bad Gateway response file.

Usage


Default value

None.

Examplebad-gateway-rsp-file = bad_gateway.html

bad-request-rsp-file

Syntaxbad-request-rsp-file = <file_name>

Description

Specifies the file that contains the body that is used when constructing a 400 BadRequest response. This response is generated when required OAuth elements aremissing from a request.

Options

<file_name>The name of the 400 Bad Request response file.

Usage


Default value

None.

Examplebad-request-rsp-file = bad_rqst.html


cache-size

Syntaxcache-size = <number_decisions>

Description

Specifies the maximum number of OAuth 2.0 bearer token authorization decisionsto cache. This EAS has a built-in cache for storing authorization decisions so thatWebSEAL can repeatedly use the same OAuth 2.0 bearer token without sendingrepeated requests to Tivoli Federated Identity Manager.

WebSEAL can cache bearer token decisions because they do not require signing ofthe request, unlike OAuth 1.0 requests. The lifetime of the cache entry depends onthe Expires attribute that Tivoli Federated Identity Manager returns. If TivoliFederated Identity Manager does not return this attribute, WebSEAL does notcache the decision.

This EAS implements a Least Recently Used cache. The decision associated withthe least recently used bearer token is forgotten when a new bearer token decisionis cached. A cache-size of 0 disables caching of authorization decisions.

Options

<number_decisions>The maximum number of OAuth 2.0 bearer token authorization decisionsthat WebSEAL caches.

Usage


Default value

The default value is 0, which disables caching of authorization decisions.

Examplecache-size = 0

cluster-name

Syntaxcluster-name = <cluster>

Description

The name of the Tivoli Federated Identity Manager cluster that hosts this OAuthservice. You must also specify a corresponding [tfim-cluster:<cluster>]stanza,which contains the definition of the cluster.

Options

<cluster>The name of the Tivoli Federated Identity Manager cluster where theOAuth service is hosted.


Usage


Default value

None.

Examplecluster-name = oauth-cluster

For this example, there needs to be a corresponding [tfim-cluster:oauth-cluster]stanza to define the cluster.

default-fed-id

Syntaxdefault-fed-id = <provider_url>

Description

The Provider ID of the default OAuth federation in Tivoli Federated IdentityManager. By default, WebSEAL uses this provider ID for OAuth requests.

You can override this default provider for an individual request by including arequest parameter that has the name specified by the fed-id-param configurationentry.

Options

<provider_url>The IP address for the federation provider that WebSEAL uses for OAuthrequests. You can find the Provider ID of a federation on the federationproperties page.

Usage


Default value

None

Exampledefault-fed-id = https://localhost/sps/oauthfed/oauth10

default-mode

Syntaxdefault-mode = <oauth_mode>


Description

The default OAuth mode that this EAS uses. The mode affects the validation ofrequest parameters and the construction of the RequestSecurityToken (RST) sent toTivoli Federated Identity Manager.

You can override this default mode for an individual request by providing a validmode value [OAuth10|OAuth20Bearer] in a request parameter. The requestparameter must have the name that is specified by the mode-param configurationentry.

Options

<oauth_mode>The OAuth mode that the OAuth EAS uses by default.

Usage


Default value

None.

Exampledefault-mode = OAuth10

fed-id-param

Syntaxfed-id-param = <request_param_name>

Description

The name of the parameter that you can include in a request to override theProvider ID that is specified by the default-fed-id configuration entry. If thisfed-id-param configuration entry is set, WebSEAL checks incoming requests for aparameter with the specified name. If this request parameter exists, WebSEAL usesthe Provider ID contained in the request rather than the default-fed-id ProviderID.

Note: You can delete this configuration entry to ensure that WebSEAL always usesthe default provider that is specified by default-fed-id.

Options

<request_param_name>The name of the request parameter whose value specifies the Provider IDfor WebSEAL to include in OAuth requests. If no such parameter exists inthe request, WebSEAL uses the Provider ID specified by default-fed-id.

Usage



Note: If you do not configure this stanza entry, WebSEAL always uses theprovider that is configured as the default-fed-id.

Default value

None.

Examplefed-id-param = FederationId

mode-param

Syntaxmode-param = <mode_name>

Description

The name of the parameter that you can include in a request to override the modethat is specified by the default-mode configuration entry. If this mode-paramconfiguration entry is set, WebSEAL checks incoming requests for a parameter withthe specified name. If this request parameter exists, WebSEAL uses the modecontained in the request rather than the mode specified by default-mode.

Note: You can delete this configuration entry to ensure that WebSEAL always usesthe default mode that is specified by default-mode.

Options

<mode_name>The name of the request parameter whose value specifies the mode for theOAuth EAS to use. If no such parameter exists in the request, WebSEALuses the mode specified by default-mode.

Usage


Note: If you do not configure this stanza entry, WebSEAL always uses theprovider that is configured as the default-mode.

Default value

None.

Examplemode-param = mode

realm-name

Syntaxrealm-name = <realm_name>

Description

The name of the OAuth realm that is used in a 401 request for OAuth data.


Options

<realm_name>The name of the OAuth realm.

Usage


Default value

None.

Examplerealm-name = realmOne

trace-component

Syntaxtrace-component = <component_name>

Description

The name of the Security Access Manager trace component that the OAuth EASuses.

Options

<component_name>The name of the Security Access Manager trace component.

Usage


Note: The pdweb.oauth component traces the data that passes into the OAuth EAS,which is governed by the [azn-decision-info] stanza. This trace might containsensitive information.

Default value

None.

Exampletrace-component = pdweb.oauth

unauthorized-rsp-file

Syntaxunauthorized-rsp-file = <file_name>

Description

Specifies the file that contains the body that is used when constructing a 401Unauthorized response. This response is generated when either of the followingscenarios occur:


v All OAuth data is missing from a request.v The OAuth data fails validation.

Options

<file_name>The name of the 401 Unauthorized response file.

Usage


Default value

None.

Exampleunauthorized-rsp-file = unauth_response.html

[obligations-levels-mapping] stanza

obligation

Syntax<obligation> = <authentication-level>

Description

Defines the mappings between the obligation levels that the policy decision point(PDP) returns and the WebSEAL step-up authentication levels. Include a separateentry for each obligation that runtime security services (RTSS) returns to theruntime security services EAS.

The mapping between the obligation levels and the WebSEAL authentication levelsmust be one-to-one. The user must authenticate only through the appropriateobligation mechanisms.

The runtime security services EAS maps the obligation to the authentication levelspecified in this stanza and requests WebSEAL to authenticate the user at thatlevel.

Options

<obligation>The name of the obligation that RTSS returns to the runtime securityservices EAS.

<authentication-level>The WebSEAL authentication level that the runtime security services EASincludes in the WebSEAL request. This value is a number that representsthe authentication level in the [authentication-levels] stanza. Each entryin the [authentication-levels] is assigned a number based on its positionin the list; the first entry is level 0. For more information, see the IBMSecurity Web Gateway Appliance: Configuration Guide for Web Reverse Proxyand search for specifying authentication levels.


Usage


Default value

None.

Examplelife_questions=2otp=3email=4voice=5

[p3p-header] stanza

access

Syntaxaccess = {none|all|nonident|contact-and-other|ident-contact|other-ident}

Description

Specifies the type of access the user has to the information contained within andlinked to the cookie.

Options

none No access to identified data is given.

all Access is given to all identified data.

contact-and-otherAccess is given to identified online and physical contact information aswell as to certain other identified data.

ident-contactAccess is given to identified online and physical contact information. Forexample, users can access things such as a postal address.

nonidentWeb site does not collect identified data.

other-identAccess is given to certain other identified data. For example, users canaccess things such as their online account charges

Usage


Default value

none

Exampleaccess = none


categories

Syntaxcategories = {physical|online|uniqueid|purchase|financial|computer|navigation|interactive|demographic|content|state|political|health|preference|location|government|other-category}

Description

Specifies the type of information stored in the cookie or linked to by the cookie.When the non-identifiable stanza entry is set to yes, then no categories need beconfigured.

Options

physicalInformation that allows an individual to be contacted or located in thephysical world. For example, telephone number or address.

online Information that allows an individual to be contacted or located on theInternet.

uniqueidNon-financial identifiers, excluding government-issued identifiers, issuedfor purposes of consistently identifying or recognizing the individual.

purchaseInformation actively generated by the purchase of a product or service,including information about the method of payment.

financialInformation about an individual's finances including account status andactivity information such as account balance, payment or overdraft history,and information about an individual's purchase or use of financialinstruments including credit or debit card information.

computerInformation about the computer system that the individual is using toaccess the network. For example, IP number, domain name, browser typeor operating system.

navigationData passively generated by browsing the Web site. For example, whichpages are visited, and how long users stay on each page.

interactiveData actively generated from or reflecting explicit interactions with a serviceprovider through its site. For example, queries to a search engine, or logsof account activity.

demographicData about an individual's characteristics. For example, gender, age, andincome.

contentThe words and expressions contained in the body of a communication. Forexample, the text of email, bulletin board postings, or chat roomcommunications.

state Mechanisms for maintaining a stateful session with a user or automatically


recognizing users who have visited a particular site or accessed particularcontent previously. For example, HTTP cookies.

politicalMembership in or affiliation with groups such as religious organizations,trade unions, professional associations and political parties.

health Information about an individual's physical or mental health, sexualorientation, use or inquiry into health care services or products, andpurchase of health care services or products

preferenceData about an individual's likes and dislikes. For example, favorite color ormusical tastes.

locationInformation that can be used to identify an individual's current physicallocation and track them as their location changes. For example, GlobalPositioning System position data.

governmentIdentifiers issued by a government for purposes of consistently identifyingthe individual.

other-categoryOther types of data not captured by the above definitions.

Usage


Default value

uniqueid

Examplecategories = uniqueid

disputes

Syntaxdisputes = {yes|no}

Description

Specifies whether the full P3P policy contains some information regarding disputesover the information contained within the cookie.

Options

yes The value yes means that information about disputes is contained in thefull P3P policy.

no The value no means that no information about disputes is contained in thepolicy.

Usage



Default value

no

Exampledisputes = no

non-identifiable

Syntaxnon-identifiable = {yes|no}

Description

Specifies that no information in the cookie, or linked to by the cookie, personallyidentifies the user.

Options

yes Data that is collected identifies the user.

no No data is collected (including Web logs), or the information collected doesnot identify the user.

Usage


Default value

no

Examplenon-identifiable = no

p3p-element

Syntaxp3p-element = policyref=location_of_policy_reference

Description

Specifies elements to add to the P3P header in addition to the elements specifiedby the other configuration items in this stanza. Typically this is done by referringto the location of a full XML policy.

Options

policyref=location_of_policy_referenceThe default entry points to a default policy reference located on the WorldWide Web Consortium Web site.

Usage



Default value

The default entry points to a default policy reference located on the World WideWeb Consortium Web site.policyref="/w3c/p3p.xml"

Examplep3p-element = policyref="/w3c/p3p.xml"

purpose

Syntaxpurpose = {current|admin|develop|tailoring|pseudo-analysis|pseudo-decision|individual-analysis|individual-decision|contact|historical|telemarketing|other-purpose}[:[opt-in|opt-out|always]]

Description

Specifies the purpose of the information in the cookie and linked to by the cookie.

Options

currentInformation can be used by the service provider to complete the activityfor which it was provided.

admin Information can be used for the technical support of the Web site and itscomputer system.

developInformation can be used to enhance, evaluate, or otherwise review the site,service, product, or market.

tailoringInformation can be used to tailor or modify content or design of the sitewhere the information is used only for a single visit to the site.

pseudo-analysisInformation can be used to create or build a record of a particularindividual or computer that is tied to a pseudonymous identifier, withouttying identified data (such as name, address, phone number, or emailaddress) to the record. This profile will be used to determine the habits,interests, or other characteristics of individuals for purpose of research,analysis and reporting, but it will not be used to attempt to identify specificindividuals.

pseudo-decisionInformation can be used to create or build a record of a particularindividual or computer that is tied to a pseudonymous identifier, withouttying identified data (such as name, address, phone number, or emailaddress) to the record. This profile will be used to determine the habits,interests, or other characteristics of individuals to make a decision thatdirectly affects that individual, but it will not be used to attempt to identifyspecific individuals.

individual-analysisInformation can be used to determine the habits, interests, or other


characteristics of individuals and combine it with identified data for thepurpose of research, analysis and reporting.

individual-decisionInformation can be used to determine the habits, interests, or othercharacteristics of individuals and combine it with identified data to make adecision that directly affects that individual.

contactInformation can be used to contact the individual, through acommunications channel other than voice telephone, for the promotion of aproduct or service.

historicalInformation can be archived or stored for the purpose of preserving socialhistory as governed by an existing law or policy.

telemarketingInformation can be used to contact the individual though a voice telephonecall for promotion of a product or service.

other-purposeInformation may be used in other ways not captured by the abovedefinitions.

For all values except current, an additional option can be specified. The possiblevalues are:

alwaysUsers cannot opt-in or opt-out of this use of their data.

opt-in Data may be used for this purpose only when the user affirmativelyrequests this use.

opt-outData may be used for this purpose unless the user requests that it not beused in this way.

When no additional option is specified, the default value is always.

Usage


Default value

The default values are current and other-purpose:opt-in.

Examplepurpose = currentpurpose = other-purpose:opt-in

recipient

Syntaxrecipient = {ours|delivery|same|unrelated|public|other-recipient}[:[opt-in|opt-out|always]]


Description

Specifies the recipients of the information in the cookie, and linked to by thecookie.

Options

ours Ourselves and/or entities acting as our agents, or entities for whom we areacting as an agent. An agent is a third party that processes data only onbehalf of the service provider.

deliveryLegal entities performing delivery services that may use data for purposesother than completion of the stated purpose.

same Legal entities following our practices. These are legal entities who use thedata on their own behalf under equable practices.

unrelatedUnrelated third parties. These are legal entities whose data usage practicesare not known by the original service provider.

public Public forums. These are public forums such as bulletin boards, publicdirectories, or commercial CD-ROM directories.

other-recipientLegal entities following different practices. These are legal entities that areconstrained by and accountable to the original service provider, but mayuse the data in a way not specified in the service provider's practices.

For all values an additional option can be specified. The possible values are:

alwaysUsers cannot opt-in or opt-out of this use of their data.

opt-in Data may be used for this purpose only when the user affirmativelyrequests this use.

opt-outData may be used for this purpose unless the user requests that it not beused in this way.

When no additional option is specified, the default value is always.

Usage


Default value

ours

Examplerecipient = oursrecipient = public:opt-in

remedies

Syntaxremedies = {correct|money|law}


Description

Specifies the types of remedies in case a policy breach occurs. When this entry hasno value, there is no remedy information in the P3P compact policy.

Options

correctErrors or wrongful actions arising in connection with the privacy policywill be remedied by the service.

moneyIf the service provider violates its privacy policy it will pay the individualan amount specified in the human readable privacy policy or the amountof damages.

law Remedies for breaches of the policy statement will be determined based onthe law referenced in the human readable description.

Usage


Default value

correct

Exampleremedies = correct

retention

Syntaxretention = {no-retention|stated-purpose|legal-requirement|business-practices|indefinitely}

Description

Specifies how long the information in the cookie or linked to by the cookie isretained.

Options

no-retentionInformation is not retained for more than a brief period of time necessaryto make use of it during the course of a single online interaction.

stated-purposeInformation is retained to meet the stated purpose, and is to be discardedat the earliest time possible.

legal-requirementInformation is retained to meet a stated purpose, but the retention periodis longer because of a legal requirement or liability.

business-practicesInformation is retained under a service provider's stated business practices.


indefinitelyInformation is retained for an indeterminate period of time.

Usage


Default value

no-retention

Exampleretention = no-retention

[PAM] stanza

pam-enabled

Syntaxpam-enabled = {true|false}

Description

Enables or disables the IBM Internet Security Systems Protocol Analysis Module.The module inspects the HTTP content of selected requests, checking for potentialsecurity vulnerabilities.

Options

true Enables the Protocol Analysis Module.

false Disables the Protocol Analysis Module.

Usage


Default value

false

Examplepam-enabled = false

pam-max-memory

Syntaxpam-max-memory = memory_size

Description

The amount of memory, in bytes, that the IBM Internet Security Systems ProtocolAnalysis Module can use. The module uses this value to tune the size of its cachesfor the amount of available memory.


Options

memory_size

The amount of memory, in bytes, that is available to the module.

Usage


Default value

None.

Examplepam-max-memory = 16777216

pam-use-proxy-header

Syntaxpam-use-proxy-header = {true|false}

Description

Controls whether the Protocol Analysis Module uses the X-Forwarded-For headerto identify the client. This configuration item is useful if a network-terminatingproxy is located between the server and the client. If the value is set to false, themodule identifies the client based on the socket connection information.

Options

true The module uses the X-Forwarded-For header to identify the client.

false The module uses the available socket connection information to identifythe client.

Usage


Default value

false

Examplepam-use-proxy-header = false

pam-http-parameter

Syntaxpam-http-parameter = parameter:value


Description

Defines specific parameters for WebSEAL to pass to the Protocol Analysis ModuleHTTP interface during initialization. For a list of valid Protocol Analysis Moduleparameters, see the module documentation at http://www.iss.net/security_center/reference/help/pam.

Note: You can specify this configuration entry multiple times, one for eachparameter.

Options

parameter:valueThe Protocol Analysis Module parameter and its assigned value.

Usage


Default value

None.

Examplepam-http-parameter = param1:val1pam-http-parameter = param2:val2

pam-coalescer-parameter

Syntaxpam-coalescer-parameter = parameter:value

Description

Defines specific parameters for WebSEAL to pass to the Protocol Analysis Modulecoalescer interface during initialization. The Protocol Analysis Module uses thisinterface to combine module-related issues into a single event. For a list of validProtocol Analysis Module parameters, see the module documentation athttp://www.iss.net/security_center/reference/help/pam.

Note: You can specify this configuration entry multiple times, one for eachparameter.

Options

parameter:valueThe Protocol Analysis Module parameter and its assigned value.

Usage


Default value

None.


http://www.iss.net/security_center/reference/help/pam



Examplepam-coalescer-parameter = combine:on

pam-log-cfg

Syntaxpam-log-cfg = agent [parameter=value],[parameter=value]...

Description

Configures the IBM Internet Security Systems Protocol Analysis Module forlogging. You can use the available parameters to configure the logging agents.

Options

agent Specifies the logging agent. The agent controls the logging destination forserver events. Valid agents include:v stdout

v stderr

v file

v remote

v rsyslog

parameterThe different agents support the following configuration parameters:



buffer_size remote

compress remote

dn remote


flush_interval all

hi_water all



mode file

path all


queue_size all


rollover_size file


ssl_keyfile rsyslog

ssl_label rsyslog



Note: For a complete description of the available logging agents and thesupported configuration parameters, see the IBM Security Access Manager for Web:Auditing Guide.

Usage


Default value

None.

Example

To send logging from the Protocol Analysis Module to a file called pam.log:pam-log-cfg = file path=pam.log

To send logging from the module to a remote syslog server:pam-log-cfg = rsyslog server=timelord,port=514,log_id=webseal-instance

pam-log-audit-events

Syntaxpam-log-audit-events = {true|false}

Description

Specifies whether audit events are sent to the Protocol Analysis Module log file.

Note: You can use the pam-log-cfg entry in the [PAM] stanza to configure the logfile for the module.

Options

true The Protocol Analysis Module sends audit events to the log file.

Note: This setting dramatically increases the number of logged events.

false The Protocol Analysis Module does not send audit events to the log file.

Usage


Default value

false

Examplepam-log-audit-events = false

pam-disabled-issues

Syntaxpam-disabled-issues = list_of_issues


Description

Specifies a comma-separated list of Protocol Analysis Module issues to disable. Bydefault, all Protocol Analysis Module issues are enabled.

Options

list_of_issuesA comma-separated list of Protocol Analysis Module issues. The moduledisables each issue in the list.

Usage


Default value

None.

Example

The following entry disables Ace_Filename_Overflow andHTTPS_Apache_ClearText_DoS.pam-disabled-issues = 2121050,2114033

pam-resource-rule

Syntaxpam-resource-rule = [+|-]{URI}

Description

Specifies the rules that WebSEAL uses to determine whether to pass a particularresource down to the Protocol Analysis Module. WebSEAL examines each rule insequence until a match is found. The first successful match determines whetherWebSEAL passes the request to the module. WebSEAL does not pass the request tothe module layer if no match is found.

You can define multiple resource rules. Each entry has the format: [+|-]{URI}. Forexample, -*.gif.

Options

+ Configures WebSEAL to pass matching requests to the Protocol AnalysisModule layer.

- Configures WebSEAL not to pass matching requests to the ProtocolAnalysis Module layer.

{URI} Contains a pattern that WebSEAL uses to match against the URI that isfound in the request. You can use the wildcard characters * and ?.

Usage



Default value

None.

Examplepam-resource-rule = -*.gifpam-resource-rule = +*.html

[pam-resource:<URI>] stanza

You can use this stanza to customize the Protocol Analysis Module processing forindividual resources and events. The <URI> value contains a pattern thatWebSEAL can match against the URI that is found in the request. You can use thewildcard characters * and ?. For example, [pam-resource:test.html] or[pam-resource:*.js].

pam-issue

Syntaxpam-issue = action

Description

You can use the entries in this stanza to control the processing of certainmodule-related events.

Options

pam-issueContains a pattern, which WebSEAL uses to match a Protocol AnalysisModule issue. You can use the wildcard characters * and ?.

action The action to undertake for the issue. The action can be either of thefollowing values:

block Blocks the connection for a specified number of seconds. Forexample, block:30.

ignore Ignores the issue and continues to process the request.

Usage


Default value

None.

Example212105? = block:02119002 = block:20


[preserve-cookie-names] stanza

name

Syntaxname = cookie_name

Description

List of specific cookie names that WebSEAL must not modify.

WebSEAL, by default, modifies the names of cookies returned in responses fromjunctions created with pdadmin using –j flag. WebSEAL also by default modifiesthe name of cookies listed in the junction mapping table (JMT). This defaultmodification is done to prevent naming conflicts with cookies returned by otherjunctions.

When a front-end application depends on the names of specific cookies, theadministrator can disable the modification of cookie names for those specificcookies. The administrator does this by listing the cookies in this stanza.

Options

cookie_nameWhen entering a value for cookie_name, use ASCII characters.

Usage


Default value

There are no cookie names set by default.

ExampleName = JSESSIONID

[process-root-filter] stanza

root

Syntaxroot = pattern

Description

Specifies the patterns for which you want root junction requests processed at theroot junction when process-root-requests = filter.

Options

pattern Values for pattern must be standard WebSEAL wildcard patterns.


Usage

Entries in this stanza are required when process-root-requests = filter.

Default valueroot = /index.htmlroot = /cgi-bin*

Exampleroot = /index.htmlroot = /cgi-bin*

[reauthentication] stanza

reauth-at-any-level

Syntaxreauth-at-any-level = {yes|no}

Description

Controls whether a different authentication level or mechanism is permitted duringa reauthentication operation.

Options

yes During a reauthentication operation, a user can be authenticated using adifferent authentication level or mechanism from that which is currentlyheld by the user. The user's new credential replaces the old one.

Note: If this configuration option is set to yes, the credential can changeone or more times during the lifetime of the session. Also, the credentialwill always be updated upon a successful reauthentication regardless ofthe existing authentication level of the credential.

no During a reauthentication operation, a user can only be authenticated atthe same authentication level or mechanism as the user's current credential.

Usage


Default value

no

Examplereauth-at-any-level = no

reauth-extend-lifetime

Syntaxreauth-extend-lifetime = number_of_seconds


Description

Integer value expressing the time in seconds that the credential cache timer shouldbe extended to allow clients to complete a reauthentication.

Options

number_of_secondsWhen the value is zero (0), the lifetime timer is not extended. WebSEALimposes no maximum. The maximum value is limited only by the integerdata type.

Usage


Default value

0

Examplereauth-extend-lifetime = 0

reauth-for-inactive

Syntaxreauth-for-inactive = {yes|no}

Description

Enables WebSEAL to prompt users to reauthenticate when their entry in theWebSEAL credential cache has timed out due to inactivity.

Options

yes Enable reauthentication.

no Disable reauthentication.

Usage


Default value

no

Examplereauth-for-inactive = no

reauth-reset-lifetime

Syntaxreauth-reset-lifetime = {yes|no}


Description

Enables WebSEAL to reset the lifetime timer for WebSEAL credential cache entriesfollowing successful reauthentication.

Options

yes Enable.

no Disable.

Usage


Default value

no

Examplereauth-reset-lifetime = no

terminate-on-reauth-lockout

Syntaxterminate-on-reauth-lockout = {yes|no}

Description

Specifies whether or not to remove the session cache entry of a user who reachesthe max-login-failures policy limit during reauthentication.

Options

yes When the maximum number of failed login attempts (specified by themax-login-failures policy) is reached during reauthentication, the user islogged out and the user's session is removed.

no

When the maximum number of failed login attempts (specified by themax-login-failures policy) is reached during reauthentication, the user islocked out as specified by the disable-time-interval setting, and notified ofthe lockout as specified by the late-lockout-notification setting. The user isnot logged out and the initial login session is still valid. The user can stillaccess other resources that are not protected by a reauthn POP.

Usage


Default value

yes

Exampleterminate-on-reauth-lockout = yes


[replica-sets] stanza

replica-set

Syntaxreplica-set = replica_set_name

Description

If WebSEAL is configured to use the SMS for session storage, the WebSEAL serverjoins each of the replica sets listed in this stanza. The entries listed here must bereplica sets configured on the SMS.

Options

replica_set_nameReplica set name.

Usage


Default value

None.

Examplereplica-set = setA

[rtss-eas] stanza

You can use the rtss-eas configuration stanza to configure the EAS thatcommunicates with the RBA server. The runtime security services EAS is used fora particular object if the effective POP for the object has an attribute calledeas-trigger with an associated value of trigger_rba_eas.

apply-tam-native-policy

Syntaxapply-tam-native-policy = {true | false}

Description

Determines whether the IBM Security Access Manager for Web ACL policy takeseffect.

Options

true Runtime security services EAS checks with Security Access Managerwhether the user has permission to access the resource based on the ACLpolicy.

false Runtime security services EAS does not check the Security Access ManagerACL policy to determine whether the user has permission to access theresource.


Usage


Default value

None.

Exampleapply-tam-native-policy = true

audit-log-cfg

Syntaxaudit-log-cfg = <agent>[<parameter>=<value>],[<parameter>=<value>],...

Description

Configures audit logging for the runtime security service. You can use the availableparameters to configure the logging agents.

Options

<agent>Specifies the logging agent. The agent controls the logging destination forserver events. Valid agents include:v stdout

v stderr

v file

v remote

v rsyslog

<parameter>The different agents support the following configuration parameters:



buffer_size remote

compress remote

dn remote


flush_interval all

hi_water all



mode file

path all


queue_size all



Table 3. Logging agent configuration parameters (continued)


rollover_size file


ssl_keyfile rsyslog

ssl_label rsyslog


Note: For a complete description of the available logging agents and thesupported configuration parameters, see the Security Access Manager: AuditingGuide.

Usage


Note: You must configure this attribute if you want WebSEAL to log runtimesecurity audit events. If there is no value set, then WebSEAL does not log anyaudit events for the runtime security service.

Default value

None.

Example

To log audit events in a file called rtss-audit.log:audit-log-cfg = file path=/tmp/rtss-audit.log,flush_interval=20,rollover_size=2000000,queue_size=48

To send audit logs to STDOUT:audit-log-cfg = stdout

cluster-name

Syntaxcluster-name = <cluster_name>

Description

The name of the runtime security services SOAP cluster that hosts this runtimesecurity SOAP service. You must also specify a corresponding[rtss-cluster:<cluster>] stanza, which contains the definition of the cluster.

Options

<cluster_name>The name of the runtime security services SOAP cluster where the runtimesecurity SOAP service is hosted.

Usage



Default value

None.

Examplecluster-name = cluster1

For this example, there needs to be a corresponding [rtss-cluster:cluster1] stanza todefine the cluster.

context-id

Syntaxcontext-id = <service_name>

Description

Specifies the context-id that the runtime security services EAS uses when sendingXACML requests to runtime security services (RTSS). This value must match theservice name of the deployed policy.

Note: If the context-id parameter is not set, it defaults to the WebSEAL servername.

Options

<service_name>The context-id that EAS uses to send XACML requests to RTSS.

Usage


Default value

If there is no value provided for this parameter, it defaults to the WebSEAL servername.

Examplecontext-id = webseal.ibm.com

trace-component

Syntaxtrace-component = <component_name>

Description

Specifies the name of the Security Access Manager trace component that the EASuses.

Options

<component_name>The name of the Security Access Manager trace component.


Usage


Note: The configured component traces the data that passes into the runtimesecurity services EAS, which is governed by the [azn-decision-info] stanza. Thistrace might contain sensitive information.

Default value

None.

Exampletrace-component = pdweb.rtss

[rtss-cluster:<cluster>] stanza

This stanza contains the configuration entries for the runtime security servicesSOAP servers.

basic-auth-user

Syntaxbasic-auth-user = <user_name>

Description

Specifies the name of the user for WebSEAL to include in the basic authenticationheader when communicating with the runtime security services SOAP server.

Options

<user_name>The user name for WebSEAL to include in the basic authentication header.

Usage


Note: Configure this entry if the runtime security services SOAP server isconfigured to require basic authentication.

Default value

None.

Examplebasic-auth-user = userA

basic-auth-passwd

Syntaxbasic-auth-passwd = <password>


Description

Specifies the password for WebSEAL to include in the basic authentication headerwhen communicating with the runtime security services SOAP server.

Options

<password>The password that WebSEAL includes in the basic authentication header.

Usage


Note: Configure this entry if the runtime security services SOAP server isconfigured to require basic authentication.

Default value

None.


handle-idle-timeout

Syntaxhandle-idle-timeout = <number>

Description

Specifies the length of time, in seconds, before an idle handle is removed from thehandle pool cache.

Options

<number>Length of time, in seconds, before an idle handle is removed from thehandle pool cache.

Usage


Default value

None.


handle-pool-size

Syntaxhandle-pool-size = <number>


Description

The maximum number of cached handles that WebSEAL uses to communicate withruntime security services SOAP.

Options

<number>The maximum number of handles that WebSEAL uses for runtime securityservices SOAP communication.

Usage


Default value

None.


server


Description

Specifies a priority level and URL for each runtime security services SOAP serverthat is a member of this cluster. Multiple server entries can be specified for a givencluster for failover and load balancing.

Options

[0-9] A digit, 0-9, that represents the priority of the server in the cluster (9 beingthe highest, 0 being the lowest). If the priority is not specified, a priority of9 is assumed.


<URL>A well-formed HTTP or HTTPS uniform resource locator for the runtimesecurity services (RTSS).

Usage


Default value

None.

Exampleserver = 9,http://localhost:9080/rtss/authz/services/AuthzService


ssl-fips-enabled


Description

Determines whether Federal Information Process Standards (FIPS) mode is enabledwith runtime security services SOAP.

Note: If no configuration entry is present, the setting from the global setting,determined by the Access Manager policy server, takes effect.

Options

yes FIPS mode is enabled.

no FIPS mode is disabled.

Usage

This stanza entry is required if both of the following conditions are true:v One or more of the cluster server entries use SSL. That is, at least one server

entry specifies a URL that uses the HTTPS protocol.v A certificate is required other than the default certificate used by WebSEAL

when communicating with the policy server. The [ssl] stanza contains details ofthe default certificate.

Note: If this entry is required, but it is not specified in the [rtss-cluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza.

Default value

None.

Note: If you want to use a FIPS level that is different to the Access Manager policyserver, edit the configuration file and specify a value for this entry.


ssl-keyfile

Syntaxssl-keyfile = <file_name>

Description

The name of the key database file that houses the client certificate for WebSEAL touse.

Options

<file_name>The name of the key database file that houses the client certificate forWebSEAL to use.


Usage





Default value

None.

Examplessl-keyfile = file_name

ssl-keyfile-label

Syntaxssl-keyfile-label = <label_name>

Description

The label of the client certificate in the key database.

Options

<label_name>Client certificate label name.

Usage





Default value

None.

Examplessl-keyfile-label = label_name


ssl-keyfile-stash

Syntaxssl-keyfile-stash = <file_name>

Description

The name of the password stash file for the key database file.

Options

<file_name>The name of the password stash file for the key database file.

Usage





Default value

None.

Examplessl-keyfile-stash = file_name

ssl-valid-server-dn

Syntaxssl-valid-server-dn = <DN-value>

Description

Specifies the distinguished name of the server (obtained from the server SSLcertificate) that WebSEAL can accept.

Options

<DN-value>The distinguished name of the server (obtained from the server SSLcertificate) that WebSEAL accepts. If no value is specified, then WebSEALconsiders all domain names valid. You can specify multiple domain namesby including multiple ssl-valid-server-dn configuration entries.

Usage

This stanza entry is required if both of the following conditions are true:


v One or more of the cluster server entries use SSL. That is, at least one serverentry specifies a URL that uses the HTTPS protocol.

v A certificate is required other than the default certificate used by WebSEALwhen communicating with the policy server. The [ssl] stanza contains details ofthe default certificate.


Default value

None.

Examplessl-valid-server-dn = CN=Access Manager,OU=SecureWay,O=Tivoli,C=US

timeout

Syntaxtimeout = <seconds>

Description

The length of time (in seconds) to wait for a response from runtime securityservices SOAP.

Options

<seconds>The length of time (in seconds) to wait for a response from runtimesecurity services SOAP.

Usage


Default value

None.


[script-filtering] stanza

hostname-junction-cookie

Syntaxhostname-junction-cookie = {yes|no}

Description

Enables WebSEAL to uniquely identify the cookie used for resolving unfilteredlinks. This is used when another WebSEAL server has created a junction to this


WebSEAL server, using a WebSEAL to WebSEAL junction.

Options

yes Enable.

no Disable.

Usage

This stanza entry is optional, but it is included by default in the configuration file.

Default value

no

Examplehostname-junction-cookie = no

rewrite-absolute-with-absolute

Syntaxrewrite-absolute-with-absolute = {yes|no}

Description

Enables WebSEAL to rewrite absolute URLs with new absolute URLs that containthe protocol, host, and port (optionally) that represent how the user accessed theWebSEAL server.

Options

yes Enable.

no Disable.

Usage


Default value

There is no default value, but if the entry is not specified in this configuration file,WebSEAL assumes the value is no.

Examplerewrite-absolute-with-absolute = no

script-filter

Syntaxscript-filter = {yes|no}

Description

Enables or disables script filtering support. When enabled, WebSEAL can filterabsolute URLs encountered in scripts such as JavaScript.


Options

yes A value of yes means enabled.

no A value of no means disabled.

Usage

This stanza entry is optional, but is included by default.

Default value

When it is not declared, the value for the script-filter functionality is no by default.

Examplescript-filter = no

[server] stanza

allow-shift-jis-chars

Syntaxallow-shift-jis-chars = {yes|no}

Description

Specifies whether junctions created using -w will allow all Shift-JIS multibytecharacters in junction file and path names.

Options

yes Junctions created using -w will allow all Shift-JIS multibyte characters injunction file and path names.

no Junction file and path names using Shift-JIS multibyte characters containingthe single byte character '\' will be rejected.

Usage


Default value

no

Exampleallow-shift-jis-chars = no

allow-unauth-ba-supply

Syntaxallow-unauth-ba-supply = {yes|no}


Description

This parameter determines access to -b supply junctions by unauthenticated users.By default, unauthenticated users are required to login before accessing anyresource located on a junctioned server where that junction was created with the -bsupply argument.

Options

yes When allow-unauth-ba-supply is set to yes, unauthenticated users canaccess -b supply junctions. The basic authentication header supplied byWebSEAL in the forwarded request contains the string unauthenticated forthe value of the header.

no When allow-unauth-ba-supply is set to no, unauthenticated users cannotaccess -b supply junctions. Users receive a login prompt.

Usage


Default value

no

Exampleallow-unauth-ba-supply = no

allow-unsolicited-logins

Syntaxallow-unsolicited-logins = {yes | no}

Description

This parameter controls whether WebSEAL accepts unsolicited authenticationrequests. If this parameter is set to no, WebSEAL accepts a login request only ifWebSEAL sent the login form to the client to prompt authentication.

Options

yes When allow-unsolicited-logins is set to yes, WebSEAL accepts unsolicitedlogins.

no When allow-unsolicited-logins is set to no, WebSEAL does not acceptunsolicited logins. This setting ensures that WebSEAL always issues a loginform to the client as part of the authentication process.

Usage


Default value

yes


Exampleallow-unsolicited-logins = yes

auth-challenge-type

Syntaxauth-challenge-type = list

Description

Contains a comma-separated list of authentication types that is used whenchallenging a client for authentication information.

Each authentication type can be customized for particular user agent strings. Formore information about authentication challenges based on the user agent, see theIBM Security Web Gateway Appliance: Configuration Guide for Web Reverse Proxy.

You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [server:{jct_id}] stanza.

where {jct-id} refers to the junction point for a standard junction (including theleading / character) or the virtual host label for a virtual host junction.

Options

list A comma-separated list of authentication types that is used whenchallenging a client for authentication information. The supportedauthentication types include:v bav formsv certv eai

The corresponding authentication configuration entry (for example,ba-auth) must be enabled for each specified authentication challenge type.

Each authentication type can also be qualified with a set of rules to specify theuser agents that receive a given challenge type. These rules are separated bysemicolons and placed inside square brackets preceding the authentication type.Each rule consists of a plus (+) or minus (-) symbol to indicate inclusion orexclusion, and the pattern to match on. The pattern can include:v Alphanumeric charactersv Spacesv Periods (.)v Wildcard characters, such as, question mark (?) and asterisk (*)

Usage


Default value

By default, the list of authentication challenge types matches the list of configuredauthentication mechanisms.


auth-challenge-type = baauth-challenge-type = forms

Exampleauth-challenge-type = ba, formsauth-challenge-type = [-msie;+ms]ba, [+mozilla*;+*explorer*]forms

cache-host-header

Syntaxcache-host-header = {yes|no}

Description

This configuration option determines whether WebSEAL caches the host andprotocol of the original request.

By default, when caching an original request, WebSEAL only caches the URL. Thatis, WebSEAL does not cache the host and protocol of the original request. In thiscase, when returning a redirect to the original URL, WebSEAL simply redirects tothe current host. This causes problems if a request for a protected resource on onevirtual host, hostA, results in an authentication operation being processed on adifferent virtual host, hostB. In this case, the client is incorrectly redirected to hostBrather than hostA. This behavior can be corrected by enabling this stanza entry sothat WebSEAL can cache the host and protocol of the original request to be usedfor redirection.

Options

yes WebSEAL caches the host and protocol of the original request in additionto the URL. In this case:v Both the host and protocol are cached and used in redirects. They cannot

be separately managed.v The protocol is not cached if the host header is not present.v Requests will only be recovered from the cache if the protocol, the host

and the URL all match the original request.

Limitations associated with this caching behavior:v The contents of the existing URL macro will not include the protocol and

host. No new macros have been added to represent these elements.v It is not possible to specify a protocol and host when a switch user

administrator specifies a URL.

no WebSEAL only caches the URL associated with the original request andredirects to the current host.

Usage


Default value

no

Examplecache-host-header = yes


capitalize-content-length

Syntaxcapitalize-content-length = {yes|no}

Description

This parameter determines whether WebSEAL uses capitalized first letters in thecontent-length header. That is, whether the name of the HTTP content-lengthheader is Content-Length or content-length.

NOTE: The Documentum client application expects the name of the HTTPcontent-length header to be Content-Length, with a capitalized "C" and "L".

Options

yes WebSEAL uses the Documentum-compliant header name Content-Length.

no WebSEAL used all lower case for the content-length header. That is,content-length.

Usage


Default value

no

Examplecapitalize-content-length = yes

client-connect-timeout

Syntaxclient-connect-timeout = number_of_seconds

Description

After the initial connection handshake has occurred, this parameter dictates howlong ( in seconds) WebSEAL holds the connection open for the initial HTTP orHTTPS request.

Options

number_of_secondsMust be a positive integer. Other values have unpredictable results andshould not be used. Maximum allowed value: 2147483647.

Usage


Default value

120


Exampleclient-connect-timeout = 120

chunk-responses

Syntaxchunk-responses = {yes|no}

Description

Enables WebSEAL to write chunked data to HTTP/1.1 clients. his can improveperformance by allowing connections to be reused even when the exact responselength is not known before the response is written.

Options

yes Enable.

no Disable.

Usage


Default value

yes

Examplechunk-responses = yes

concurrent-session-threads-hard-limit

Syntaxconcurrent-session-threads-hard-limit = number_of_threads

Description

The maximum number of concurrent threads that a single user session canconsume. When a user session reaches its thread limit, WebSEAL stops processingany new requests for the user session and returns an error to the client.

If you do not specify a value for this entry, there is no limit to the number ofconcurrent threads that a user session can consume.

Options

number_of_threads

The maximum number of concurrent threads that a single user session canconsume before WebSEAL returns an error.

Usage



Default value

Unlimited.

Exampleconcurrent-session-threads-hard-limit = 10

concurrent-session-threads-soft-limit

Syntaxconcurrent-session-threads-soft-limit = number_of_threads

Description

The maximum number of concurrent threads that a single user session canconsume before WebSEAL generates warning messages. WebSEAL continuesprocessing requests for this session until it reaches the configuredconcurrent-session-threads-hard-limit (also in the [server] stanza).

Options

number_of_threads

Integer value representing the maximum number of concurrent threadsthat a single session can consume before WebSEAL generates warningmessages.

Usage


Default value

Unlimited.

Exampleconcurrent-session-threads-soft-limit = 5

connection-request-limit

Syntaxconnection-request-limit = number_of_requests

Description

Specifies the maximum number of requests that will be processed on a singlepersistent connection.

Options

number_of_requestsThe maximum number of requests that will be processed on a singlepersistent connection.


Usage


Default value

100

Exampleconnection-request-limit = 100

cope-with-pipelined-request

Syntaxcope-with-pipelined-request = {yes|no}

Description

WebSEAL does not support pipelined requests from browsers. If this option is setto yes, when WebSEAL detects pipelined requests it will close the connection andinform the browser that is should re-send the pipelined requests in a normalmanner. This parameter should always be set to yes unless the previous WebSEALbehavior is required.

Options

yes Enable.

no Disable.

Usage


Default value

yes

Examplecope-with-pipelined-request = yes

decode-query

Syntaxdecode-query = {yes|no}

Description

Validates the query string in requests according to the utf8-qstring-support-enabled parameter.

Options

yes When decode-query is set to yes WebSEAL validates the query string inrequests according to the utf8-qstring-support-enabled parameter.Otherwise, WebSEAL does not validate the query string.


no When decode-query is set to no, then dynurl must be disabled.

Usage


Default value

yes

Exampledecode-query = yes

disable-timeout-reduction

Syntaxdisable-timeout-reduction = {yes|no}

Description

By default, WebSEAL automatically reduces the timeout duration for threads as thenumber of in-use worker threads increases. The timeout duration is the maximumlength of time that a persistent connection with the client can remain inactivebefore WebSEAL terminates the connection.

This configuration option determines whether WebSEAL reduces the timeoutduration to help control the number of active worker threads. This option isavailable on all platforms.

Options

yes Disables the timeout reduction done by WebSEAL as the number of workerthreads in-use increases.

no WebSEAL performs timeout reduction as the number of worker threadsin-use increases.

Usage


Default value

no

Exampledisable-timeout-reduction = yes

See also

“max-file-descriptors” on page 245

double-byte-encoding

Syntaxdouble-byte-encoding = {yes|no}


Description

Specifies whether WebSEAL assumes that encoded characters within URLs arealways encoded in Unicode, and do not contain UTF-8 characters.

Options

yes WebSEAL assumes that encoded characters within URLs are alwaysencoded in Unicode, and do not contain UTF-8 characters.

no WebSEAL does not assume that encoded characters within URLs arealways encoded in Unicode, and do not contain UTF-8 characters.

Usage


Default value

no

Exampledouble-byte-encoding = no

dynurl-allow-large-posts

Syntaxdynurl-allow-large-posts = {yes|no}

Description

Allows or disallows POST requests larger than the current value for the stanzaentry request-body-max-read in the [server] stanza.

Options

yes When set to yes, WebSEAL compares only up to request-body-max-readbytes of POST request to the URL mappings contained in dynurlconfiguration file (dynurl.conf).

no When set to no, WebSEAL disallows POST requests with a body largerthan request-body-max-read.

Usage


Default value

no

Exampledynurl-allow-large-posts = no


dynurl-map

Syntaxdynurl-map = file_name

Description

Specifies the file that contains mappings for URLs to protected objects.

Options

file_nameThe name of the file that contains mappings for URLs to protected objects.

Usage


Default value

None, but this entry is usually configured to dynurl.conf.

Exampledynurl-map = dynurl.conf

enable-IE6-2GB-downloads

Syntaxenable-IE6-2GB-downloads = {yes|no}

Description

Allows you to disable the HTTP Keep-Alives Enabled option for responses sentback to Internet Explorer, version 6, client browsers. The primary purpose of this isto allow WebSEAL to mimic the Internet Information Services workaroundpublished at http://support.microsoft.com/kb/298618. This will allow clientsusing Microsoft Internet Explorer, version 6.0, to download files greater than 2GB,but less than 4GB.

NOTE:

v This stanza entry is not necessary for Internet Explorer 7 or for othernon-Microsoft browsers.

v Enabling this workaround will cause WebSEAL to not use persistent connectionsfor Internet Explorer, version 6, client connections when the data to be returnedin the response is >= 2GB in length.

Options

yes Disables the HTTP Keep-Alives Enabled option, allowing clients usingInternet Explorer, version 6, to download files greater than 2GB, but lessthan 4GB.

no The HTTP Keep-Alives Enabled is not disabled.


Usage


Default value

no

Exampleenable-IE6-2GB-downloads = yes

filter-nonhtml-as-xhtml

Syntaxfilter-nonhtml-as-xhtml = {yes|no}

Description

Enable tag-based filtering of static URLs for new MIME types added to the[filter-content-types] stanza.

Options

yes Enable tag-based filtering of static URLs for new MIME types added to the[filter-content-types] stanza

no Disable tag-based filtering of static URLs for new MIME types added tothe [filter-content-types] stanza

Usage


Default value

no

Examplefilter-nonhtml-as-xhtml = no

force-tag-value-prefix

Syntaxforce-tag-value-prefix = {yes|no}

Description

Determines whether each attribute name set in a junction object's HTTP-Tag-Valueis automatically prefixed with "tagvalue_" before it is placed in the credential. Thisprohibits access to credential attributes that do not have names beginning with"tagvalue_" such as AUTHENTICATION_LEVEL. When this options set to no, theautomatic prefixing of "tagvalue_" will not occur so that all credential attributescan be specified in HTTP-Tag-Value.


Options

yes Enable the automatic prefixing of "tagvalue_" to each attribute name set ina junction object's HTTP-Tag-Value.

no Disable the automatic prefixing of "tagvalue_" so that all credentialattributes can be specified in HTTP-Tag-Value.

Usage


Default value

yes

Exampleforce-tag-value-prefix = yes

http

Syntaxhttp = {yes|no}

Description

Specifies whether HTTP requests will be accepted by the WebSEAL server. Thisvalue is set by the administrator during WebSEAL server configuration.

Options

yes Accept HTTP requests.

no Do not accept HTTP requests.

Usage


Default value

no

Examplehttp = yes

http-method-disabled-local

Syntaxhttp-method-disabled-local = [HTTP_methods]

Description

Specifies the HTTP methods that WebSEAL blocks when processing HTTP requestsfor local resources. By default, WebSEAL blocks the TRACE HTTP method.


Options

HTTP_methodsA comma-separated list of HTTP methods that are blocked whenrequesting local resources.

Usage


Default value

TRACE

Examplehttp-method-disabled-local = TRACE

http-method-disabled-remote

Syntaxhttp-method-disabled-remote = [HTTP_methods]

Description

Specifies the HTTP methods that WebSEAL blocks when processing HTTP requestsfor junctioned resources. By default, WebSEAL blocks the TRACE HTTP method.

Options

HTTP_methodsA comma-separated list of HTTP methods that are blocked whenrequesting remote resources.

Usage


Default value

TRACE

Examplehttp-method-disabled-remote = TRACE

http-port

Syntaxhttp-port = port_number

Description

Port on which WebSEAL listens for HTTPS requests. This value is set duringWebSEAL configuration. When the default HTTP port is already in use, WebSEALconfiguration suggests the next available (unused) port number.


Options

port_numberThe administrator can modify this number. Valid values include any portnumber not already in use on the host.

Usage


Default value

80

Examplehttp-port = 80

https

Syntaxhttps = {yes|no}

Description

Specifies whether HTTPS requests will be accepted by the WebSEAL server. Thisvalue is set by the administrator during WebSEAL server configuration.

Options

yes Accept HTTPS requests.

no Do not accept HTTPS requests.

Usage


Default value

no

Examplehttps = yes

https-port

Syntaxhttps-port = port_number

Description

Port on which WebSEAL listens for HTTPS requests. This value is set duringWebSEAL configuration. When the default port is already in use, WebSEALconfiguration suggests the next available (unused) port number.


Options

port_numberThe administrator can modify this number. Valid values include any portnumber not already in use on the host.

Usage


Default value

443

Examplehttps-port = 443

ignore-missing-last-chunk

Syntaxignore-missing-last-chunk = {yes|no}

Description

Controls whether WebSEAL ignores a missing last chunk in a data-stream from abackend server that is using chunked transfer-encoding.

Options

yes WebSEAL will ignore a missing last-chunk in a data-stream from abackend server that is using chunked transfer-encoding. This matches thebehavior in prior releases of WebSEAL.

no WebSEAL will RST (reset) the connection to the front-end browser if thelast-chunk is not present.

Usage


Default value

no

Exampleignore-missing-last-chunk = yes

intra-connection-timeout

Syntaxintra-connection-timeout = number_of_seconds

Description

This parameter affects request and response data sent as two or more fragments.The parameter specifies the timeout (in seconds) between each request data


fragment after the first data fragment is received by WebSEAL. The parameter alsogoverns the timeout between response data fragments after the first data fragmentis returned by WebSEAL.

Options

number_of_secondsIf the value of this parameter is set to 0 (or not set), connection timeoutsbetween data fragments are governed instead by the client-connect-timeout parameter. The exception to this rule occurs for responses returnedover HTTP (TCP). In this case, there is no timeout between responsefragments. If a connection timeout occurs on a non-first data fragment dueto the intra-connection-timeout setting, a TCP RST (reset) packet is sent.

Usage


Default value

60

Exampleintra-connection-timeout = 60

io-buffer-size

Syntaxio-buffer-size = number_of_bytes

Description

Positive integer value that indicates the buffer size, in bytes, for low-level readsfrom and writes to a client.

Options

number_of_bytes

Positive integer value that indicates the buffer size, in bytes, for low-levelreads from and writes to a client.

The minimum value is 1. WebSEAL does not impose a maximum value.

A small value (for instance, 10 bytes) can hurt performance by causingfrequent calls to the low-level read/write APIs. Up to a certain point,larger values improve performance because they correspondingly reducethe calls to the low-level I/O functions.

However, the low-level I/O functions might have their own internalbuffers, such as the TCP send and receive buffers. When io-buffer-sizeexceeds the size of those buffers, there is no longer any performanceimprovement because those functions read only part of the buffer at thetime.

Reasonable values for io-buffer-size range from 1 - 16 kB. Values smallerthan this range causes calling the low-level I/O functions too frequently.


Values larger than this range wastes memory. A 2 MB I/O buffer size uses4 MB for each worker thread that communicates with the client, since thereis an input and output buffer.

Usage


Default value

4096

Exampleio-buffer-size = 4096

ip-support-level

Syntaxip-support-level = {displaced-only|generic-only|displaced-and-generic}

Description

Controls the amount of network information stored in a credential by specifyingthe required IP level.

Options

displaced-onlyWebSEAL only generates the IPv4 attribute when building user credentialsand when authenticating users through external authentication C APImodules.

generic-onlyWebSEAL only generates new generic attributes that support both IPv4and IPv6 when building user credentials and when authenticating usersthrough external authentication C API modules.

displaced-and-genericBoth sets of attribute types (produced by displaced-only and generic-only)are used when building user credentials and when authenticating usersthrough external authentication C API modules.

Usage


Default value

generic-only

Exampleip-support-level = generic-only


ipv6-support

Syntaxipv6-support = {yes|no}

Description

Enable/disable WebSEAL support for IPv6 format.

Options

yes Enable WebSEAL support for IPv6 format.

no Disable WebSEAL support for IPv6 format.

Usage


Default value

yes

Exampleipv6-support = yes

late-lockout-notification

Syntaxlate-lockout-notification = {yes|no}

Description

WebSEAL returns a server response error page (acct_locked.html) that notifies theuser of the penalty for reaching or exceeding the maximum value set by themax-login-failures policy. This stanza entry specifies whether this notificationoccurs when the user reaches the max-login-failures limit, or at the next loginattempt after reaching the limit.

Options

yes Upon reaching the maximum value set by the max-login-failures policy,WebSEAL returns another login prompt to the user. WebSEAL does notsend the account disabled error page to the user until the next loginattempt. This response represents pre-version 6.0 behavior for themax-login-failures policy.

no Upon reaching the maximum value set by the max-login-failures policy,WebSEAL immediately sends the account disabled error page to the user.

Usage

Required

Default value

The default for new installations is no. The default for migrated installations is yes.


Examplelate-lockout-notification = yes

max-client-read

Syntaxmax-client-read = number_of_bytes

Description

Specifies the maximum number of bytes of request line and header informationthat WebSEAL holds in internal buffers when reading an HTTP request from aclient. One purpose for max-client-read is to help protect WebSEAL fromdenial-of-service attacks.

As of Security Access Manager WebSEAL 6.0, the max-client-read stanza entry nolonger impacts the request-body-max-read and request-max-cache stanza entries.

Options

number_of_bytes

The minimum value for this parameter is 32678 bytes. If the total size ofthe request line and headers is greater than the value specified for thisparameter, WebSEAL closes the connection without reading any more dataor sending any response to the client.

If the value is set to a number below 32768, the value is ignored and avalue of 32768 is used. There is no maximum value. URL and headerinformation in a typical request rarely exceeds 2048 bytes.

Usage


Default value

32768

Examplemax-client-read = 32768

max-file-cat-command-length

Syntaxmax-file-cat-command-length = number_of_bytes

Description

Specifies the maximum size of the file, specified in bytes, which may be returnedfrom the file cat server task command.

If the value of this parameter is less than the size of the file specified in the file catcommand, the returned file will be truncated. This parameter takes precedenceover the optional -max bytes value in the file cat command.


Options

number_of_bytes

The maximum size of the file, specified in bytes, which may be returnedfrom the file cat command.

Usage


Default value

1024

Examplemax-file-cat-command-length = 512

max-file-descriptors

Syntaxmax-file-descriptors = number_of_descriptors

Description

Sets the maximum number of sockets that WebSEAL uses in a Windowsenvironment. This setting directly affects the number of worker threads available.

Note: You can use connection-request-limit option, which is also in the [server]stanza, to increase the number of requests that WebSEAL processes on a persistentconnection.

Options

number_of_descriptors

Integer value representing the maximum number of file descriptors(sockets) that WebSEAL uses. This setting directly affects the number ofworker threads available to WebSEAL. The minimum value, and default, isthe compiled FD_SETSIZE, which is 2048 for Windows.

Usage


Note: This configuration option is available only on Windows. WebSEAL ignoresthis setting on all other platforms.

Default value

The default value is the compiled FD_SETSIZE, which is 2048 for Windows.

Examplemax-file-descriptors = 2048


See also

“disable-timeout-reduction” on page 233“connection-request-limit” on page 231

max-idle-persistent-connections

Syntaxmax-idle-persistent-connections = number_of_connections

Description

The maximum number of idle client persistent connections. Use a value less thanthe maximum number of connections supported by WebSEAL to ensure that theidle connections do not consume all the available connections.

Options

number_of_connectionsInteger value indicating the maximum number of idle client persistentconnections.

Usage


Default value

512

Examplemax-idle-persistent-connections = 512

network-interface

Syntaxnetwork-interface = ip-address

Description

Specify an alternative IP address to be used by this instance of WebSEAL. Thisallows two or more WebSEAL instances to use different IP addresses and hostnames when running on the same machine .

Options

ip-addressIP address.

Usage


Default value

0.0.0.0


Examplenetwork-interface = 9.0.0.9

persistent-con-timeout

Syntaxpersistent-con-timeout = number_of_seconds

Description

HTTP/1.1 connection timeout, in seconds. This setting affects connections toclients, not to backend server systems.

Options

number_of_secondsHTTP/1.1 connection timeout, in seconds. Must be a positive integer.Other values have unpredictable results and should not be used. Maximumallowed value: 2147483647.

A value of 0 causes WebSEAL to set the 'Connection: close' header andthen close the connection on every response. If the value of this stanzaentry is set to 0, the connection does not remain open for future requests.

Usage


Default value

5

Examplepersistent-con-timeout = 5

pre-410-compatible-tokens

Syntaxpre-410-compatible-tokens = {yes|no}

Description

WebSEAL supports a common method of generating tokens for cross-domainsingle signon, failover, and e-community single signon. The security of thesetokens was increased for version 4.1. This increase is not backward compatiblewith previous versions of WebSEAL. When the Security Access Managerdeployment includes multiple WebSEAL servers, and some of the WebSEALservers are version 3.9 or prior, set this value to yes.

Options

yes Support pre-410-compatible tokens.

no Do not support pre-410-compatible tokens.


Usage


Default value

no

Examplepre-410-compatible-tokens = no

pre-510-compatible-token

Syntaxpre-510-compatible-token = {yes|no}

Description

WebSEAL supports a common method of generating tokens for cross-domainsingle signon, failover, and e-community single signon. The format of these tokenschanged for version 5.1. This change is not backward compatible with previousversions of WebSEAL. When the Security Access Manager deployment includesmultiple WebSEAL servers, and some of the WebSEAL servers are version 4.1 orprior, set this value to yes.

Options

yes Support pre-510-compatible tokens.

no Do not support pre-510-compatible tokens.

Usage


Default value

no

Examplepre-510-compatible-tokens = no

preserve-base-href

Syntaxpreserve-base-href = {yes|no}

Description

Specifies whether WebSEAL will remove all BASE HREF tags from filtered HTMLdocuments and prepend the base tag to filtered links.

Options

yes When set to yes, WebSEAL filters the BASE HREF tag.

no When set to no, WebSEAL removes BASE HREF tags.


Usage


Default value

no

Examplepreserve-base-href = no

preserve-base-href2

Syntaxpreserve-base-href2 = {yes|no}

Description

Used in conjunction with the preserve-base-href option to specify the level offiltering on the BASE HREF tags.

NOTE: This option has no effect unless preserve-base-href (also in the [server]stanza) is set to yes.

Options

yes When set to yes, WebSEAL only performs the minimum filtering of theBASE HREF tag necessary to insert the WebSEAL host and junction names.

no When set to no, WebSEAL completely filters the BASE HREF tags. ForBASE tags that do not contain a trailing slash WebSEAL strips the lastcomponent.

Usage


Default value

yes

Examplepreserve-base-href2 = yes

preserve-p3p-policy

Syntaxpreserve-p3p-policy = {yes|no}

Description

Specifies whether to replace or preserve p3p headers from junctioned servers.

Options

yes The value yes means that headers are preserved.


no A value of no means that headers are replaced.

Usage


Default value

no

Examplepreserve-p3p-policy = no

process-root-requests

Syntaxprocess-root-requests = {never|always|filter}

Description

Specifies how WebSEAL responds to requests for resources located at the root ("/")junction.

Options

never Root junction requests are never processed at the root junction.

alwaysAlways attempt to process requests for the root junction at the rootjunction first before attempting to use a junction mapping mechanism.

filter Examine all root junction requests to determine whether they start with thepatterns specified in the [process-root-filter] stanza.

Usage


Default value

always

Exampleprocess-root-requests = always

redirect-using-relative

Syntaxredirect-using-relative = {true|false}

Description

Specifies that WebSEAL use a server-relative format for the URL in the Locationheader of an HTTP 302 redirect response.


This configuration change affects all redirect responses generated by WebSEAL.These redirect situations include:v Redirect after authenticationv Redirect after logoutv Redirect after changing passwordv Redirects during the e-community single signon authentication processv Redirects during the cross-domain single signon authentication processv Switch user processingv Certificate authentication (prompt-as-needed only)v Session displacement

Options

true Use a server-relative format for the URL in the Location header of anHTTP 302 redirect response.

false Use an absolute format for the URL in the Location header of an HTTP 302redirect response.

Usage

This stanza entry is not required and is a hidden entry.

Default value

false

Exampleredirect-using-relative = true

reject-invalid-host-header

Syntaxreject-invalid-host-header = {yes|no}

Description

Determines whether requests to WebSEAL that have an invalid host header (seeRFC2616) are rejected with a status of 400, "Bad Request."

Options

yes All requests to WebSEAL with an invalid host header will be rejected witha status of 400, "Bad Request."

no Requests with an invalid host header are not rejected.

Usage


Default value

no


Examplereject-invalid-host-header = no

reject-request-transfer-encodings

Syntaxreject-request-transfer-encodings = {yes|no}

Description

Specifies the WebSEAL response to requests containing the Transfer-Encodingheader.

Options

yes WebSEAL rejects (with error status of 501, Not Implemented) any requestwith a Transfer-Encoding header value of anything other than "identity" or"chunked".

no WebSEAL may reject the request, or may forward it on the junctionedserver in a corrupted state. This setting is available for compatibility withversions of WebSEAL prior to version 6.0.

Usage


Default value

yes

Examplereject-request-transfer-encodings = yes

request-body-max-read

Syntaxrequest-body-max-read = number_of_bytes

Description

Maximum number of bytes to read in as content from the body of POST requests.The request-body-max-read stanza entry affects the request body only. It does notimpose limits on other components of a request, such as request line and headers.Used for dynurl, authentication, and request caching.

Options

number_of_bytesMaximum number of bytes to read in as content from the body of POSTrequests. Used for dynurl, authentication, and request caching. Minimumnumber of bytes: 512.

Usage



Default value

4096

Examplerequest-body-max-read = 4096

request-max-cache

Syntaxrequest-max-cache = number_of_bytes

Description

Maximum amount of data to cache. This is used to cache request data when a useris prompted to authenticate before a request can be fulfilled.

Options

number_of_bytesThis value should be a positive integer. If set to zero (0), the user loginsucceeds but the request fails because WebSEAL cannot cache the requestdata. There is no maximum value.

Usage


Default value

8192

Examplerequest-max-cache = 8192

send-header-ba-first

Syntaxsend-header-ba-first = {yes|no}

Description

By default, WebSEAL selects the authentication challenge to return to the client bysequentially searching the available authentication mechanisms until it finds onethat is enabled. You can use the send-header-ba-first entry to ensure thatWebSEAL selects the BA header before any of the other configured authenticationmechanisms.

Options

yes WebSEAL sends the header first.

no WebSEAL searches sequentially through the available authenticationmechanisms and sends the first one that is enabled.


Usage


Default value

no

Examplesend-header-ba-first = yes

See also

“send-header-spnego-first”

send-header-spnego-first

Syntaxsend-header-spnego-first = {yes|no}

Description

By default, WebSEAL selects the authentication challenge to return to the client bysequentially searching the available authentication mechanisms until it finds onethat is enabled. You can use the send-header-spnego-first entry to ensure thatWebSEAL selects SPNEGO header first before any of the other configuredauthentication mechanisms.

SPNEGO authentication can use either forms login or a header.

Note: If send-header-ba-first is set to yes and send-header-spnego-first is set tono, WebSEAL sends a BA header first, but uses the default search for an SPNEGOforms login.

Options

yes WebSEAL sends the header first.

no WebSEAL searches sequentially through the available authenticationmechanisms and sends the first one that is enabled.

Usage


Default value

no

Examplesend-header-spnego-first = yes

See also

“send-header-ba-first” on page 253


server-name

Syntaxserver-name = host_name-instance_name

Description

The WebSEAL instance name.

Options

host_name-instance_nameThe WebSEAL instance name, based on the host name of the machine andthe instance name of the WebSEAL server. This value is set by theadministrator during WebSEAL configuration. WebSEAL instance namesmust be alphanumeric. The maximum number of characters allowed is 20.

Usage


Default value

None.

Example

Example initial WebSEAL server with the default instance name accepted, on ahost named diamond:server-name = diamond-default

Example instance WebSEAL instance, specified as web2, on a host named diamond:server-name = diamond-web2

slash-before-query-on-redirect

Syntaxslash-before-query-on-redirect = {yes|no}

Description

When a client URL specifies a directory location that does not end in a trailingslash (/), the client is redirected to the same URL with a trailing slash added.Thisis necessary for ACL checks to work properly.

This stanza entry controls where the slash is added if the original URL contains aquery string.

Options

yes Setting this value to yes causes the trailing slash to be added before thequery string.

For example: /root/directoryname?querybecomes /root/directoryname/?query


no Setting this value to no causes the trailing slash to be added after the querystring.

For example: /root/directoryname?querybecomes /root/directoryname?query/

NOTE: A setting of no could cause browser errors. This option exists forbackwards compatibility only.

Usage


Default value

no

Exampleslash-before-query-on-redirect = yes

strip-www-authenticate-headers

Syntaxstrip-www-authenticate-headers = {yes|no}

Description

Controls whether WebSEAL removes the following headers from the responses thatit receives from junctioned servers:v Negotiate www-authenticate header.v NTLM www-authenticate header.

Options

yes When set to yes, WebSEAL removes these www-authenticate headers fromjunctioned server responses.

no When set to no, WebSEAL does not remove these www-authenticateheaders from junctioned server responses.

Usage


Default value

yes

Examplestrip-www-authenticate-headers = yes

suppress-backend-server-identity

Syntaxsuppress-backend-server-identity = {yes|no}


Description

Suppresses the identity of the back-end application server from HTTP responses.These responses normally include the line:Server: IBM_HTTP_SERVER/version_number Apache/version_number (Win32)

Options

yes Setting this value to yes deletes the above header line from the serverresponse.

no Setting this value to no leaves the above header line in the server response.

Usage


Default value

no

Examplesuppress-backend-server-identity = no

suppress-dynurl-parsing-of-posts

Syntaxsuppress-dynurl-parsing-of-posts = {yes|no}

Description

Determines whether POST bodies are used in dynurl processing.

Note: Before enabling this option, make certain that no dynurl checked serverapplications accept arguments from POST bodies so that dynurl checks cannot bebypassed using a POST instead of a Query string.

Options

yes POST bodies will not be used in dynurl processing, only Query strings willbe used.

no POST bodies can be used in dynurl processing.

Usage


Default value

no

Examplesuppress-dynurl-parsing-of-posts = no


suppress-server-identity

Syntaxsuppress-server-identity = {yes|no}

Description

Suppresses the identity of the WebSEAL server from HTTP responses. Theseresponses normally include the line:Server: WebSEAL/version_number

Options

yes Setting this value to yes deletes the above header line from the serverresponse.

no Setting this value to no leaves the above header line in the server response.

Usage


Default value

no

Examplesuppress-server-identity = no

tag-value-missing-attr-tag

Syntaxtag-value-missing-attr-tag = tag_for_missing_attribute

Description

WebSEAL allows credential attributes to be inserted into the HTTP stream as HTTPheaders. In the event that a requested attribute is not found in the credential, theHTTP header is still created with a static string. The tag-value-missing-attr-tagconfiguration entry defines the contents of the header.

Options

tag_for_missing_attributeTag inserted in the HTTP header in place of a missing attribute.

Usage


Default value

NOT_FOUND

Exampletag-value-missing-attr-tag = NOT_FOUND


use-existing-username-macro-in-custom-redirects

Syntaxuse-existing-username-macro-in-custom-redirects = {yes|no}

Description

When using Local Response Redirection, you can use this configuration option tocontrol how WebSEAL processes the USERNAME macro. By default, WebSEALsets the USERNAME macro value to the string "unauthenticated" after an inactivitytimeout. This processing does not match the behavior when WebSEAL serves staticpages.

Use this option to override the default behavior and configure WebSEAL to set theUSERNAME macro value to the authenticated username. That is, with this optionset to yes, WebSEAL processes the USERNAME macro the same when using LocalResponse Redirection as it does when serving static pages.

Options

yes When using Local Response Redirection, the USERNAME macro value isset to the authenticated username after an inactivity timeout.

no When using Local Response Redirection, the USERNAME macro value isset to the string "unauthenticated" after an inactivity timeout.

Usage


Default value

no

Exampleuse-existing-username-macro-in-custom-redirects = yes

use-http-only-cookies

Syntaxuse-http-only-cookies = {yes|no}

Description

Indicates whether WebSEAL will add the HTTP-only attribute to the Session, LTPAand Failover Set-Cookie headers sent by WebSeal.

Options

yes Enables WebSEAL to add the HTTP-only attribute to Session, LTPA andFailover Set-Cookie headers.

no Prevents WebSEAL from adding the HTTP-only attribute to Session, LTPAand Failover Set-Cookie headers.


Usage


Default value

no

Exampleuse-http-only-cookies = no

utf8-form-support-enabled

Syntaxutf8-form-support-enabled = {yes|no|auto}

Description

UTF-8 encoding support.

Options

yes WebSEAL only recognizes UTF-8 encoding in forms and the data is usedwithout modification.

no WebSEAL does not recognize UTF-8 encoding in forms. Used for local codepage only.

auto When set to auto, WebSEAL attempts to distinguish between UTF-8 andother forms of language character encoding. When encoding is notrecognized as UTF-8, WebSEAL processes the coding as non-UTF-8.

Usage


Default value

yes

Exampleutf8-url-support-enabled = yes

utf8-qstring-support-enabled

Syntaxutf8-qstring-support-enabled = {yes|no|auto}

Description

UTF-8 encoding support.

Options

yes WebSEAL only recognizes UTF-8 encoding in strings and the data is usedwithout modification.


no WebSEAL does not recognize UTF-8 encoding in strings. Used for localcode page only.


Usage


Default value

no

Exampleutf8-qstring-support-enabled = no

utf8-url-support-enabled

Syntaxutf8-url-support-enabled = {yes|no|auto}

Description

Enable or disable support for UTF-8 encoded characters in URLs.

Options

yes WebSEAL only recognizes UTF-8 encoding in URLs and the data is usedwithout modification.

no WebSEAL does not recognize UTF-8 encoding in URLs. Used for local codepage only.


Usage


Default value

yes

Exampleutf8-url-support-enabled = yes

validate-query-as-ga

Syntaxvalidate-query-as-ga = {yes|no}


Description

Determines whether WebSEAL returns a "Bad Request" error when there is aninvalid character present in the query portion of the URL.

Options

yes WebSEAL does not return a "Bad request" error when there is an invalidcharacter present in the query portion of the URL.

no WebSEAL returns a "Bad Request" error when there is an invalid characterpresent in the query portion of the URL.

Usage


Default value

no

Examplevalidate-query-as-ga = yes

web-host-name

Syntaxweb-host-name = manually-set-webseal-hostname

Description

The manual setting for the WebSEAL server's host name.If left unset, WebSEALattempts to automatically determine the server's host name. On systems with manyhostnames, interfaces, or WebSEAL instances, the automatic determination may notalways be correct. The manual setting for web-host-name resolves any conflicts.

Options

manually-set-webseal-hostnameThe manual setting for the WebSEAL server's host name, based on the fullyqualified machine name.

Usage


Default value

www.webseal.com

Exampleweb-host-name = abc.example.com


web-http-port

Syntaxweb-http-port = port for web-http-protocol

Description

Defines the port that the client Web browser uses to connect to WebSEAL forrequests that WebSEAL receives on a TCP interface.

Options

port for web-http-protocol

Usage


Default value

same as HTTP port

Exampleweb-http-port = 443

web-http-protocol

Syntaxweb-http-protocol = {http | https}

Description

Defines the protocol that the client Web browser uses to connect to WebSEAL forrequests that WebSEAL receives on a TCP interface.

Options

http WebSEAL functions will behave as if the client is connected to WebSEAL inan HTTP environment (not HTTPS).

https Most WebSEAL functions will behave as if the client is connected toWebSEAL in an HTTPS environment. There are exceptions and limitationsto this rule. You cannot obtain SSL IDs or SSL client certificates using thisparameter; therefore, [session] ssl-id-sessions cannot be used as asession key and [certificate] accept-client-certs cannot be used forauthentication.

Usage


Default value

http


Exampleweb-http-protocol = http

worker-threads

Syntaxworker-threads = number_of_threads

Description

Number of WebSEAL worker threads.

Options

number_of_threadsNumber of WebSEAL worker threads. The minimum value is 1. Themaximum number of threads is based on the number of file descriptors setfor WebSEAL at compile time. Note that this number varies per operatingsystem. If the value is set to a number larger than theWebSEAL-determined limit, WebSEAL reduces the value to the acceptablelimit and issues a warning message.

Usage


Default value

300

Exampleworker-threads = 300

[session] stanza

dsess-enabled

Syntaxdsess-enabled = {yes|no}

Description

Enable or disable use of the Session Management Server (SMS).

Options

yes Enable use of the Session Management Server (SMS). If this is set to "yes"the [dsess] stanza must have information about how to communicate withthe SMS.

no Disable use of the Session Management Server (SMS).

Usage



Default value

no

Exampledsess-enabled = no

dsess-last-access-update-interval

Syntaxdsess-last-access-update-interval = seconds

Description

Specifies the frequency at which WebSEAL updates the session last access time atthe SMS.

Options

secondsSmaller values offer more accurate inactivity timeout tracking, at theexpense of sending updates to the SMS more frequently. Values of less than1 second are not permitted.

Usage

requiredOptional

Default value

60

Exampledsess-last-access-update-interval = 60

enforce-max-sessions-policy

Syntaxenforce-max-sessions-policy = {yes|no}

Description

Control whether or not a specific WebSEAL instance enforces themax-concurrent-web-sessions policy.

Options

yes Enforce the max-concurrent-web-sessions policy.

no Do not enforce the max-concurrent-web-sessions policy.

Usage

This stanza entry is ignored unless WebSEAL is using the SMS for session storage.


Default value

yes

Exampleenforce-max-sessions-policy = yes

inactive-timeout

Syntaxinactive-timeout = number_of_seconds

Description

Integer value for lifetime, in seconds, of inactive entries in the credential cache.

The value can be configured for a specific session cache (authenticated orunauthenticated) by adding an additional entry, prefixedby auth or unauth.

Options

number_of_secondsThe minimum number for this value is 0. WebSEAL does not impose amaximum value.

A stanza entry value of "0" disables this inactivity timeout feature(inactivity timeout value is unlimited). The control of cache entries is thengoverned by the timeout and max-entries stanza entries.

When a cache is full, the entries are cleared based on a least-recently-usedalgorithm.

Usage


Default value

600

Exampleinactive-timeout = 600unauth-inactive-timeout = 300

logout-remove-cookie

Syntaxlogout-remove-cookie = {yes|no}

Description

Specifies whether or not to remove the session cookie from a user's browser whenthe user logs out from the WebSEAL domain. Setting this stanza entry to yes isnecessary for the correct operation and use of the %OLDSESSION% macro.


Options

yes Remove the session cookie from a user's browser when the user logs outfrom the WebSEAL domain.

no Do not remove the session cookie from a user's browser when the userlogs out from the WebSEAL domain.

Usage


Default value

no

Examplelogout-remove-cookie = no

max-entries

Syntaxmax-entries = number_of_entries

Description

Maximum number of concurrent entries in the credentials cache. When the cachesize reaches this value, entries are removed from the cache according to a leastrecently used algorithm to allow new incoming logins.


Options

number_of_entries

The following conditions affect the specified value:v If the specified value is less than or equal to 0, the cache size becomes

unlimited.v If the specified value is between 0 and 8192, the actual number of entries

allowed is rounded up to the next multiple of 32.v Any specified value greater than 8192 is accepted as given.

WebSEAL does not impose a maximum value.

Usage


Default value

4096

Examplemax-entries = 4096unauth-max-entries = 1024


prompt-for-displacement

Syntaxprompt-for-displacement = {yes|no}

Description

Determines whether or not a user is prompted for appropriate action when themax-concurrent-web-sessions displace policy has been exceeded.

Options

yes Enables the interactive option, where the user is prompted for appropriateaction. When a second login is attempted, the user receives thetoo_many_sessions.html response page.

no Enables the non-interactive option, where the user is not prompted forappropriate action. When a second login is attempted, the original (older)login session is automatically terminated with no prompt. A new session iscreated for the user and the user is logged in to this new sessiontransparently. The original (older) session is no longer valid.

Usage


Default value

yes

Exampleprompt-for-displacement = yes

register-authentication-failures

Syntaxregister-authentication-failures = {yes|no}

Description

Configure WebSEAL to notify the SMS when login failures occur. SMS can generatea login history based on this information.

Options

yes If set to yes, WebSEAL notifies the SMS when login failures occur so thatusers can be shown a history of their last successful and failed logins.

no If set to no, WebSEAL does not notify the SMS when login failures occur.

Usage


Default value

no


Exampleregister-authentication-failures = no

require-mpa

Syntaxrequire-mpa = {yes|no}

Description

Controls whether WebSEAL accepts HTTP headers from requests that are proxiedthrough an authenticated multiplexing proxy agent (MPA).

Options

yes WebSEAL only accepts HTTP headers from requests that are proxiedthrough an authenticated multiplexing proxy agent (MPA).

no WebSEAL accepts HTTP headers under any condition.

Usage


Default value

yes

Examplerequire-mpa = yes

resend-webseal-cookies

Syntaxresend-webseal-cookies = {yes|no}

Description

When you configure WebSEAL to use session cookies, specifies whether or notWebSEAL sends the session cookie to the browser with every response.

Options

yes Specifies that WebSEAL sends the session cookie to the browser with everyresponse. This action helps to ensure that the session cookie remains in thebrowser memory.

no Specifies that WebSEAL does not send the session cookie to the browserwith every response.

Usage


Default value

no


Exampleresend-webseal-cookies = no

send-constant-sess

Syntaxsend-constant-sess = {yes|no}

Description

Determines whether a session cookie containing a separate, constant identifier isissued during step-up operations to enable tracking for each authenticated session.The identifier remains constant across a single session, regardless of whether thesession key changes. The name of the cookie is that of the actual session codeappended with the suffix -2, for example, PD_S_SESSION_ID_2. This feature isintended to augment the -k junction option.

Options

yes A session cookie containing a separate, constant identifier is issued duringstep-up operations to allow tracking for each authenticated session.

no No session cookie is issued during step-up operations.

Usage


Default value

no

Examplesend-constant-sess = no

shared-domain-cookie

Syntaxshared-domain-cookie = {yes | no}

Description

Enables a cookie-based session to be shared across all standard and virtual hostjunctions on a single WebSEAL instance. To share a session in this manner, theWebSEAL instance must store a single session key as an independent value in amulti-valued domain cookie. The multi-valued domain cookie must be indexed bythe instance name.

The domain cookie itself is shared across all participating WebSEAL instances, butthe session values are specific to each instance.

If WebSEAL exists in an environment where SMS already handles single sign-onacross domains, do not enable this configuration item.


Options

yes Enables single sign-on across virtual host junctions in the same WebSEALinstance.

no Disables single sign-on across virtual host junctions in WebSEAL.

Usage


Default value

no

Exampleshared-domain-cookie = yes

ssl-id-sessions

Syntaxssl-id-sessions = {yes|no}

Description

Indicates whether to use the SSL ID to maintain a user's HTTP login session.

Options

yes Use the SSL ID to maintain a user's HTTP login session.

no Do not use the SSL ID to maintain a user's HTTP login session. This valuemust be set to no when the following key = value pair is set:[certificate]accept-client-certs = prompt_as_needed

Usage


Default value

yes

Examplessl-id-sessions = yes

ssl-session-cookie-name

Syntaxssl-session-cookie-name = name

Description

Specifies the default or custom name of WebSEAL session cookies.


Options

name Specifies the default or custom name of WebSEAL session cookies.

Usage


Default value

PD-S-SESSION-ID

Examplessl-session-cookie-names = PD-S-SESSION-ID

standard-junction-replica-set

Syntaxstandard-junction-replica-set = replica_set_name

Description

The replica set to use for sessions created when users access standard WebSEALjunctions. Virtual host junctions either use the replica set specified with thevirtualhost create -z option or the virtual host name for the junction.

If using the SMS for session storage, the replica set specified here must also bespecified in the [replica-sets] stanza.

Options

value Replica set name.

Usage


Default value

default

Examplestandard-junction-replica-set = default

tcp-session-cookie-name

Syntaxtcp-session-cookie-name = name

Description

Specifies the default or custom name of WebSEAL session cookies.

Options

name Specifies the default or custom name of WebSEAL session cookies.


Usage


Default value

PD-H-SESSION-ID

Exampletcp-session-cookie-names = PD-H-SESSION-ID

temp-session-cookie-name

Syntaxtemp-session-cookie-name = cookie_name

Description

Sets the name of the temporary session cookie that is created for session sharingwith Microsoft Office applications. WebSEAL creates a temporary cookie with thisname when it responds to a /pkmstempsession management page request.

Options

cookie_nameA string value that represents the name of the single-use cookie thatWebSEAL uses to store session information.

Note: This configuration entry must be used in conjunction with anon-zero value for the temp-session-max-lifetime entry, which is also inthe [session] stanza. For more information about sharing sessions withMicrosoft Office applications, see the IBM Security Web Gateway Appliance:Configuration Guide for Web Reverse Proxy.

Usage


Default value

None.

Exampletemp-session-cookie-name = PD-TEMP-SESSION-ID

temp-session-max-lifetime

Syntaxtemp-session-max-lifetime = number_of_seconds

Description

Positive integer that expresses the maximum lifetime (in seconds) of entries in thetemporary session cache.


Options

number_of_secondsA positive integer that represents the maximum lifetime in seconds. Specifya value of 0 to disable the temporary session cache.

Note: A non-zero value must be configured to enable session sharing withMicrosoft Office applications. For more information about sharing sessionswith Microsoft Office applications, see the IBM Security Web GatewayAppliance: Configuration Guide for Web Reverse Proxy.

Usage


Default value

None.

Exampletemp-session-max-lifetime = 10

timeout

Syntaxtimeout = number_of_seconds

Description

Integer value for maximum lifetime, in seconds, for an entry in the credentialcache.


Options

number_of_secondsThe minimum number for this value is 0. WebSEAL does not impose amaximum value.

A stanza entry value of "0" disables this timeout feature (lifetime value isunlimited). The control of cache entries is then governed by theinactive-timeout and max-entries stanza entries.

When the cache is full, the entries are cleared based on aleast-recently-used algorithm.

Usage


Default value

3600


Exampletimeout = 3600unauth-timeout = 600

update-session-cookie-in-login-request

Syntaxupdate-session-cookie-in-login-request = {yes|no}

Description

Controls whether the existing session cookie, found in the HTTP request, isupdated if the session ID is modified during the processing of the request.

Options

yes

The existing session cookie is updated if the session ID is modified duringthe processing of the request.

no

The existing session cookie is not updated if the session ID is modifiedduring the processing of the request.

Usage


Default value

no

Exampleupdate-session-cookie-in-login-request = no

user-session-ids

Syntaxuser-session-ids = {yes|no}

Description

Enables or disables the creation and handling of user session IDs.

Options

yes

Enables the creation and handling of user session IDs.

no

Disables the creation and handling of user session IDs.

Usage



Default value

no

Exampleuser-session-ids = yes

user-session-ids-include-replica-set

Syntaxuser-session-ids-include-replica-set = {yes|no}

Description

Include the replica set in the user session ID.

Options

yes If set to "yes", then user-session-ids = yes includes the replica set.

no If set to "no", then WebSEAL does not include the replica set foruser-session-ids = yes and assumes that any user session specified in thepdadmin terminate session command belongs to the default replica set.

Usage


Default value

yes

Exampleuser-session-ids-include-replica-set = yes

use-same-session

Syntaxuse-same-session = {yes|no}

Description

Indicates whether to use the same session for SSL and HTTP clients.

Options

yes When set to yes, a user who has authenticated over HTTP will beauthenticated when connecting over HTTPS. Likewise, the user who hasauthenticated over HTTPS will be authenticated when connecting overHTTP. Using yes will override ssl-id-sessions = yes, because HTTPclients do not read an SSL ID to maintain sessions.

no Do not use the same session for SSL and HTTP clients.

Usage



Default value

no

Exampleuse-same-session = no

[session-cookie-domains] stanza

domain

Syntaxdomain = url

Description

Normally WebSEAL session cookies are host cookies that browsers only return tothe host that originally set them.

This stanza is used to configure domain session cookies that are sent to any host ina particular DNS domain.

Options

url Domains that share the domain cookie.

Usage


Default value

None.

Exampledomain = example.com

[session-http-headers] stanza

header_name

Syntaxheader_name = {http|https}

Description

Configures HTTP headers to maintain session state.

Options

http

Configures HTTP headers to maintain session state over the HTTPtransport.


https

Configures HTTP headers to maintain session state over the HTTPStransport.

Usage


Default value

None.

Exampleentrust-client = https

[ssl] stanza

base-crypto-library

Syntaxbase-crypto-library = {Default|RSA|ICC}

Description

Specifies the cipher engine used by GSKit.

Options

DefaultThe value Default tells GSKit to use the optimal cryptographic base.

RSA Use RSA. Note that setting it to RSA affects the settings possible forfips-mode-processing.

ICC Use ICC.

Usage


Default value

Default

Examplebase-crypto-library = Default

crl-ldap-server

Syntaxcrl-ldap-server = server_name

Description

Specifies the Server to be contacted to obtain Certificate Revocation Lists (CRL).


Options

server_nameThis parameter can be set to one of two types of values:1. The name of the LDAP server to be referenced as a source for

Certificate Revocation Lists (CRL) during authentication across SSLjunctions. If this is used, you may also need to set the followingparameters:v crl-ldap-server-portv crl-ldap-userv crl-ldap-user-password

2. The literal string “URI”. In the case where no direct LDAP Server isavailable, this allows GSKit to obtain revocation information fromLDAP or the HTTP Servers as specified by the CA in the CertificateDistribution Point (CDP) extension of the certificate.

NOTE:In addition to specifying the string "URI", it is also possible tospecify an HTTP server for crl-ldap-server. However, WebSEAL does notcurrently support the ability to specify an HTTP proxy server, which canprovide performance improvements when HTTP servers are used.

Usage


Default value

None.

Examplecrl-ldap-server = diamond.example.com

crl-ldap-server-port

Syntaxcrl-ldap-server-port = port_number

Description

Port number for communication with the LDAP server specified in crl-ldap-server.The LDAP server is referenced for Certificate Revocation List (CRL) checkingduring SSL authentication.

Options

port_numberPort number for communication with the LDAP server specified incrl-ldap-server.

Usage

This stanza entry is optional. When crl-ldap-server is set, this stanza entry isrequired.


Default value

None.

Examplecrl-ldap-server-port = 389

crl-ldap-user

Syntaxcrl-ldap-user = user_DN

Description

Fully qualified distinguished name (DN) of an LDAP user that has access to theCertificate Revocation List.

Options

user_DNFully qualified distinguished name (DN) of an LDAP user that has accessto the Certificate Revocation List.

Usage

This stanza entry is optional. A null value for crl-ldap-user indicates that the SSLauthenticator should bind to the LDAP server anonymously.

Default value

None.

Examplecrl-ldap-user =cn=webseald/diamond,cn=SecurityDaemons,secAuthority=Default

crl-ldap-user-password

Syntaxcrl-ldap-user-password = password

Description

Password for the user specified in crl-ldap-user.

Options

passwordPassword for the user specified in crl-ldap-user.

Usage



Default value

None.

Examplecrl-ldap-user-password = mypassw0rd

disable-ssl-v2


Description

Disables support for SSL version 2. Support for SSL v2 is disabled by default. TheWebSEAL configuration sets this value.

Options

yes Support is disabled.

no Support is enabled.

Usage

This stanza entry is optional. When not specified, the default is yes.

Default value

yes

Exampledisable-ssl-v2 = yes

disable-ssl-v3


Description

Disables support for SSL Version 3. Support for SSL V3 is enabled by default. TheWebSEAL configuration sets this value.

Options



Usage

This stanza entry is optional. When not specified, the default is no.

Default value

no


Exampledisable-ssl-v3 = no

disable-tls-v1


Description

Disables support for TLS Version 1. Support for TLS V1 is enabled by default. TheWebSEAL configuration sets this value.

Options

yes The value yes means support is disabled


Usage

This stanza entry is optional. When not specified, the default is no.

Default value

no


disable-tls-v11


Description

Determines whether WebSEAL supports Transport Layer Security (TLS) version 1.1.WebSEAL supports TLS version 1.1 by default.

Options



Usage


Default value

no



disable-tls-v12


Description

Determines whether WebSEAL supports Transport Layer Security (TLS) version 1.2.WebSEAL supports TLS version 1.2 by default.

Options



Usage


Default value

no


enable-duplicate-ssl-dn-not-found-msgs

Syntaxenable-duplicate-ssl-dn-not-found-msgs = {yes | no}

Description

Determines whether WebSEAL logs a warning message every time you open aconnection to a junction that has:v Either the -K or the -B flag set, butv The -D flag is not set.

By default, WebSEAL logs duplicate messages whenever it opens anotherconnection to the junction. These messages appear in the following format:DPWIV1212W No server DN is defined for ’server.ibm.com’.

The junctioned server DN verification is not performed."

Options

yes Duplicate messages are created. Every time a connection is opened to ajunction that has the -K or -B flags specified without the -D option,WebSEAL logs a warning.

no When the server starts, WebSEAL logs a single warning only for eachaffected junction.

Usage



Default value

yes

Exampleenable-duplicate-ssl-dn-not-found-msgs = no

fips-mode-processing

Syntaxfips-mode-processing = {yes|no}

Description

Enables or disables FIPS mode processing.

Options

yes A value of yes enables FIPS mode processing.

no A value of no disables FIPS mode processing. When base-crypto-library= RSA, this value must be no.

Usage


Default value

no

Examplefips-mode-processing = no

gsk-attr-name


Description

Specify additional GSKit attributes to use when initializing an SSL connection withthe client. A complete list of the available attributes is included in the GSKit SSLAPI documentation. This configuration entry can be specified multiple times.Configure a separate entry for each GSKit attribute.

Options





Usage


You cannot configure the following restricted GSKit attributes:GSK_BASE_CRYPTO_LIBRARYGSK_SSL_FIPS_MODE_PROCESSINGGSK_FIPS_MODE_PROCESSINGGSK_OCSP_ENABLEGSK_OCSP_URLGSK_OCSP_NONCE_GENERATION_ENABLEGSK_OCSP_NONCE_CHECK_ENABLEGSK_OCSP_REQUEST_SIGKEYLABELGSK_OCSP_REQUEST_SIGALGGSK_OCSP_PROXY_SERVER_NAMEGSK_OCSP_PROXY_SERVER_PORTGSK_OCSP_RETRIEVE_VIA_GETGSK_OCSP_MAX_RESPONSE_SIZEGSK_KEYRING_FILEGSK_KEYRING_PWGSK_CRL_CACHE_SIZEGSK_CRL_CACHE_ENTRY_LIFETIMEGSK_KEYRING_STASH_FILEGSK_KEYRING_LABELGSK_LDAP_SERVERGSK_LDAP_SERVER_PORTGSK_LDAP_USERGSK_LDAP_USER_PWGSK_ACCELERATOR_NCIPHER_NFGSK_ACCELERATOR_RAINBOW_CSGSK_PKCS11_DRIVER_PATHGSK_PKCS11_TOKEN_LABELGSK_PKCS11_TOKEN_PWDGSK_PKCS11_ACCELERATOR_MODEGSK_V2_SESSION_TIMEOUTGSK_V3_SESSION_TIMEOUTGSK_PROTOCOL_SSLV2GSK_PROTOCOL_SSLV3GSK_PROTOCOL_TLSV1GSK_CLIENT_AUTH_TYPEGSK_SESSION_TYPEGSK_IO_CALLBACKGSK_RESET_SESSION_TYPE_CALLBACKGSK_RESET_SESSION_TYPE_CALLBACKGSK_NO_RENEGOTIATIONGSK_ALLOW_ABBREVIATED_RENEGOTIATION


Default value

None.

Example



See also

“gsk-attr-name” on page 60“gsk-attr-name” on page 313“jct-gsk-attr-name” on page 287

gsk-crl-cache-entry-lifetime

Syntaxgsk-crl-cache-entry-lifetime = number_of_seconds

Description

Integer value specifying the lifetime timeout, in seconds, for individual entries inthe GSKit CRL cache.

See also the standards documents for SSL V3 and TLS V1 (RFC 2246) for moreinformation on CRLs.

Options

number_of_secondsInteger value specifying the lifetime timeout, in seconds, for individualentries in the GSKit CRL cache. The minimum value is 0. The maximumvalue is 86400. Neither WebSEAL nor GSKit impose a maximum value onthe cache entry lifetime.

Usage


Default value

0

Examplegsk-crl-cache-entry-lifetime = 0

gsk-crl-cache-size

Syntaxgsk-crl-cache-size = number_of_entries

Description

Integer value indicating the maximum number of entries in the GSKit CRL cache.

See the standards documents for SSL V3 and TLS V1 (RFC 2246) for moreinformation on CRLs.

Options

number_of_entriesInteger value indicating the maximum number of entries in the GSKit CRLcache. Minimum value is 0. A value of 0 means that no entries are cached.Neither WebSEAL nor GSKit impose a maximum value on this cache.


Usage


Default value

0

Examplegsk-crl-cache-size = 0

jct-gsk-attr-name

Syntaxjct-gsk-attr-name = {enum | string | number}:id:value

Description

Specify additional GSKit attributes to use when initializing an SSL connection witha junctioned server. A complete list of the available attributes is included in theGSKit SSL API documentation. This configuration entry can be specified multipletimes. Configure a separate entry for each GSKit attribute.

Options




Usage


You cannot configure the following restricted GSKit attributes:GSK_KEYRING_FILEGSK_KEYRING_PWGSK_KEYRING_STASH_FILEGSK_V2_SIDCACHE_SIZEGSK_V3_SIDCACHE_SIZEGSK_V2_SESSION_TIMEOUTGSK_V3_SESSION_TIMEOUTGSK_PROTOCOL_SSLV2GSK_PROTOCOL_SSLV3GSK_PROTOCOL_TLSV1GSK_LDAP_SERVERGSK_LDAP_SERVER_PORTGSK_LDAP_USERGSK_LDAP_USER_PWGSK_CRL_CACHE_SIZEGSK_CRL_CACHE_ENTRY_LIFETIMEGSK_ACCELERATOR_NCIPHER_NFGSK_ACCELERATOR_RAINBOW_CSGSK_PKCS11_DRIVER_PATHGSK_PKCS11_TOKEN_LABELGSK_PKCS11_TOKEN_PWDGSK_PKCS11_ACCELERATOR_MODEGSK_BASE_CRYPTO_LIBRARY


GSK_OCSP_ENABLEGSK_OCSP_URLGSK_OCSP_NONCE_GENERATION_ENABLEGSK_OCSP_NONCE_CHECK_ENABLEGSK_OCSP_REQUEST_SIGKEYLABELGSK_OCSP_REQUEST_SIGALGGSK_OCSP_PROXY_SERVER_NAMEGSK_OCSP_PROXY_SERVER_PORTGSK_OCSP_RETRIEVE_VIA_GETGSK_OCSP_MAX_RESPONSE_SIZE


Default value

None.

Example

The following entry is for the GSKit attribute GSK_HTTP_PROXY_SERVER_NAME, whichhas an identity value of 225:jct-gsk-attr-name = string:225:proxy.ibm.com

See also

“gsk-attr-name” on page 60“gsk-attr-name” on page 284“gsk-attr-name” on page 313

ocsp-enable

Syntaxocsp-enable = {yes|no}

Description

Enable Online Certificate Status Protocol (OCSP) for checking the revocation statusof certificates supplied by a server using the OCSP URL embedded in thecertificate using an Authority Info Access (AIA) extension.

Options

yes Enable OCSP to check the revocation status of server supplied certificates.

no Disable OCSP checking of server supplied certificates.

Usage


Note: This option can be used as an alternative to, or in conjunction with, theocsp-url option.

Default value

no


Exampleocsp-enable = no

ocsp-max-response-size

Syntaxocsp-max-response-size = number of bytes

Description

Sets the maximum response size (in bytes) that will be accepted as a response froman OCSP responder. This limit helps protect against a denial of service attack.

Options

number of bytesMaximum response size, in bytes.

Note: A value of zero (0) indicates that the value is not set in theconfiguration file and no call to GSKit will be made to adjust its value; inthis case, the option will assume the GSKit default of 20480 bytes.Non-zerovalues will be passed on to GSKit.

Usage


Default value

204080

Exampleocsp-max-response-size = 20480

ocsp-nonce-check-enable

Syntaxocsp-nonce-check-enable = {yes|no}

Description

Determines whether WebSEAL checks the nonce in the OCSP response. Enablingthis option improves security but can cause OCSP Response validation to fail ifthere is a caching proxy between WebSEAL and the OCSP Responder. Note thatenabling this option automatically enables the jct-ocsp-nonce-generation-enableoption.

Options

yes WebSEAL checks the nonce in the OCSP response to verify that it matchesthe nonce from the request.

no WebSEAL does not check the nonce in the OCSP response.


Usage


Default value

no

Exampleocsp-nonce-check-enable = no

ocsp-nonce-generation-enable

Syntaxocsp-nonce-generation-enable = {yes|no}

Description

Determines whether WebSEAL generates a nonce as part of the OCSP request.Enabling this option can improve security by preventing replay attacks onWebSEAL but may cause an excessive load on an OCSP Responder appliance asthe responder cannot use cached responses and must sign each response.

Options

yes WebSEAL generates a nonce as part of the OCSP request.

no WebSEAL does not generate a nonce as part of the OCSP request.

Usage


Default value

no

Exampleocsp-nonce-generation-enable = no

ocsp-proxy-server-name

Syntaxocsp-proxy-server-name = <proxy host name>

Description

Specifies the name of the proxy server that provides access to the OCSP responder.

Options

proxy host nameFully qualified name of the proxy server.


Usage


Default value

None

Exampleocsp-proxy-server-name = proxy.ibm.com

ocsp-proxy-server-port

Syntaxocsp-proxy-server-port = <proxy host port number>

Description

Specifies the port number of the proxy server that provides access to the OCSPResponder.

Options

proxy host port numberPort number used by the proxy server to route OCSP requests andresponses.

Usage


Default value

None

Exampleocsp-proxy-server-port = 8888

ocsp-url

Syntaxocsp-url = <OCSP Responder URL>

Description

Specifies the URL for the OCSP Responder. If a URL is provided, WebSEAL willuse OCSP for all revocation status checking regardless of whether the certificatehas an Authority Info Access (AIA) extension, which means that OCSP will workwith existing certificates. WebSEAL will first try the OCSP Responder that isconfigured by this method rather than using a location specified by AIAextension.If revocation status is undetermined, and if ocsp-enable is set to yes, thenWebSEAL will try to obtain revocation status using the access method in the AIAextension.


Options

OCSP Responder URLURL of the OCSP Responder.

Usage


Default value

None

Exampleocsp-url = http://responder.ibm.com/

ssl-keyfile


Description

Specifies the keystore that WebSEAL uses for communicating with other SecurityAccess Manager servers over SSL.

Options

file_nameString specifying the name of the keystore that WebSEAL uses tocommunicate with other Security Access Manager servers over SSL.

Usage


Default value

<instance_name>-webseald.kdb, where <instance_name> is the name of theWebSEAL instance.

Examplessl-keyfile = default-webseald.kdb

ssl-keyfile-label

Syntaxssl-keyfile-label = label_name

Description

String containing a label for the SSL certificate keyfile. When this label is notspecified, the default label is used.

This stanza entry is typically modified only by the WebSEAL configuration utility.


Options

label_nameString containing a label for the SSL certificate keyfile.

Usage

This stanza entry is optional, but is assigned during WebSEAL configuration.

Default value

PD Server

Examplessl-keyfile-label = PD Server

ssl-keyfile-pwd

Syntaxssl-keyfile-pwd = password

Description

String containing the password to protect the private keys in the SSL keyfile.


Options

passwordWhen this stanza entry is assigned a value, that value is used instead ofany password that is contained in the stash file specified byssl-keyfile-stash. This stanza entry stores the password in plain text. Usethe ssl-keyfile-stash for optimum security.

Usage


Default value

None.

Examplessl-keyfile-pwd = myPassw0rd

ssl-keyfile-stash

Syntaxssl-keyfile-stash = file_name

Description

Name of the file containing an obfuscated version of the password used to protectprivate keys in the SSL keyfile.



Options

file_nameName of the file containing an obfuscated version of the password used toprotect private keys in the SSL keyfile.

Usage


Default value

instance_name-webseald.sth, whereinstance_name is the name of the WebSEALinstance.

Examplessl-keyfile-stash = default-webseald.sth

ssl-local-domain

Syntaxssl-local-domain = local domain name

Description

This option specifies the local domain for a particular instance of WebSEAL, whichallows a single server to host multiple WebSEAL instances, each of which couldaccess a separate domain.

Options

local domain nameThe local domain for which this instance of WebSEAL is configured. Thelocal domain is provided during WebSEAL configuration and set by thesvrsslcfg utility.

Usage


Default value

Default

Examplessl-local-domain = abc.ibm.com

ssl-max-entries

Syntaxssl-max-entries = number_of_entries


Description

Integer value indicating the maximum number of concurrent entries in the SSLcache.

Options

number_of_entriesInteger value indicating the maximum number of concurrent entries in theSSL cache. The minimum value is zero (0), which means that caching isunlimited. Entries between 0 and 256 are set to 256. There is no maximumlimit.

Usage


Default value

When the stanza entry is not assigned a value, WebSEAL uses a default value of 0.The WebSEAL configuration utility, however, assigns a default value of 4096.

Examplessl-max-entries = 4096

ssl-v2-timeout

Syntaxssl-v2-timeout = number_of_seconds

Description

Session timeout in seconds for SSL v2 connections between clients and servers.This timeout value controls how often a full SSL handshake is completed betweenclients and WebSEAL.

This value is set by the WebSEAL configuration utility.

Options

number_of_secondsValid range of values for number_of_seconds is from 1-100 seconds.

Usage

This stanza entry is required when SSL is enabled.

Default value

100

Examplessl-v2-timeout = 100


ssl-v3-timeout

Syntaxssl-v3-timeout = number_of_seconds

Description

Session timeout in seconds for SSL v3 connections between clients and servers.This timeout value controls how often a full SSL handshake is completed betweenclients and WebSEAL.

This value is set by the WebSEAL configuration utility.

Options

number_of_secondsValid range of values for number_of_seconds is from 1-86400 seconds, where86400 seconds is equal to 1 day. If you specify a number outside this range,the default number of 7200 seconds will be used.

Usage


Default value

7200

Examplessl-v3-timeout = 7200

suppress-client-ssl-errors

Syntaxsuppress-client-ssl-errors = {true|false}

Description

This stanza entry suppresses error messages that originate from SSLcommunication problems with the client.

Options

true Suppress error messages that originate from SSL communication problemswith the client.

false Do not suppress error messages that originate from SSL communicationproblems with the client.

Usage


Default value

false


Examplesuppress-client-ssl-errors = false

undetermined-revocation-cert-action

Syntaxundetermined-revocation-cert-action = {ignore | log | reject}

Description

Controls the action that WebSEAL takes if OCSP or CRL is enabled but theresponder cannot determine the revocation status of a certificate (that is, therevocation status is unknown). The appropriate values for this entry should beprovided by the OCSP or CRL Responder owner.

Options

ignore WebSEAL ignores the undetermined revocation status and permits use ofthe certificate.

log WebSEAL logs the fact that the certificate status is undetermined andpermits use of the certificate.

reject WebSEAL logs the fact that the certificate status is undetermined andrejects the certificate.

Usage


Default value

The option defaults to ignore if it is not specified in the configuration file.

Note: The value for this option in the template configuration file is log.

Exampleundetermined-revocation-cert-action = log

webseal-cert-keyfile

Syntaxwebseal-cert-keyfile = file_name

Description

Specifies the WebSEAL certificate keyfile. This is the server certificate thatWebSEAL exchanges with browsers when negotiating SSL sessions.

Options

file_nameName of the WebSEAL certificate keyfile.

Usage



Default value

pdsrv.kdb

Examplewebseal-cert-keyfile = pdsrv.kdb

webseal-cert-keyfile-label

Syntaxwebseal-cert-keyfile-label = label_name

Description

String specifying a label to use for WebSEAL certificate keyfile. When this is notspecified, the default label is used.

Options

label_nameString specifying a label to use for WebSEAL certificate keyfile.

Usage

This stanza entry is optional, but is set by default during WebSEAL configuration.

Default value

WebSEAL-Test-Only

Examplewebseal-cert-keyfile-label = WebSEAL-Test-Only

webseal-cert-keyfile-pwd

Syntaxwebseal-cert-keyfile-pwd = password

Description

Password used to protect private keys in WebSEAL certificate file.

Options

passwordWhen this stanza entry is assigned a value, that value is used instead ofany password that is contained in the stash file specified bywebseal-cert-keyfile-stash. This stanza entry stores the password in plaintext. Use the stash file for optimum security.

Usage



Default value

None.

Examplewebseal-cert-keyfile-pwd = j73R45huu

webseal-cert-keyfile-stash

Syntaxwebseal-cert-keyfile-stash = file_name

Description

Name of the file containing an obfuscated version of the password used to protectprivate keys in the keyfile.

Options

file_nameName of the file containing an obfuscated version of the password used toprotect private keys in the keyfile.

Usage


Default value

pdsrv.sth

Examplewebseal-cert-keyfile-stash = pdsrv.sth

[ssl-qop] stanza

ssl-qop-mgmt

Syntaxssl-qop-mgmt = {yes|no}

Description

Enables or disables SSL quality of protection management.

Options

yes The value yes enables SSL quality of protection management.

no The value no disables SSL quality of protection management.

Usage



Default value

no

Examplessl-qop-mgmt = no

[ssl-qop-mgmt-default] stanza

default

Syntaxdefault = {ALL|NONE|cipher_level}

Description

List of string values to specify the allowed encryption levels for HTTPS access.

Values specified in this stanza entry are used for all IP addresses that are notmatched in either the [ssl-qop-mgmt-hosts] stanza entries or the[ssl-qop-mgmt-networks] stanza entries.

Options

ALL The value ALL allows all ciphers.

NONEThe value NONE disables all ciphers and uses an MD5 MAC check sum.

cipher_levelLegal cipher values are: NULL, DES-56, FIPS-DES-56, DES-168,FIPS-DES-168, RC2-40, RC2-128, RC4-40, RC4-56, RC4-128, AES-128,AES-256

Value Cipher name in GSKit

NULL TLS_RSA_WITH_NULL_MD5

DES-56 TLS_RSA_WITH_DES_CBC_SHA

FIPS-DES-56 SSL_RSA_FIPS_WITH_DES_CBC_SHA

DES-168 SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA

FIPS-DES-168 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

RC2-40 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

RC2-128 TLS_RC2_CBC_128_CBC_WITH_MD5

RC4-40 TLS_RSA_EXPORT_WITH_RC4_40_MD5

RC4-56 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

RC4-128 TLS_RSA_WITH_RC4_128_MD5

AES-128 TLS_RSA_WITH_AES_128_CBC_SHA


Usage



Default value

ALL

Example

To specify a selected group of ciphers, create a separate entry for each cipher. Forexample:default = RC4-128default = RC2-128default = DES-168

[ssl-qop-mgmt-hosts] stanza

host-ip

Syntaxhost-ip = {ALL|NONE|cipher_level}

Description

List of string values to specify the allowed encryption levels for HTTPS access fora specific IP address.

Note that this stanza has been deprecated and is retained only for backwardcompatibility.

Options


















Usage


Default value

None.

Example

To specify allowable ciphers for a selected group of IP addresses, create a separateentry for each address. For example:111.222.333.444 = RC4-128222.666.333.111 = RC2-128

[ssl-qop-mgmt-networks] stanza

network/netmask

Syntaxnetwork/netmask = {ALL|NONE|cipher_level}

Description

List of string values to specify the allowed encryption levels for HTTPS access fora specific combination of IP address and netmask.

Note that this stanza has been deprecated and is retained only for backwardcompatibility.

Options



















Usage


Default value

None.

Example

To specify allowable ciphers for a selected group of IP addresses and netmasks,create a separate entry for each address/netmask combination. For example:111.222.333.444/255.255.255.0 = RC4-128222.666.333.111/255.255.0.0 = RC2-128

[step-up] stanza

retain-stepup-session

Syntaxretain-stepup-session = {yes|no}

Description

Determines whether a session cookie issued during a step-up operation is allowedto be reused or not. This option is only in effect if the verify-step-up-user option isset to yes.

Options

yes Enables session cookie to be reused during a step-up operation.

no Prevents session cookie from being reused during a step-up operation.

Usage


Default value

no

Exampleretain-stepup-session = no

show-all-auth-prompts

Syntaxshow-all-auth-prompts = {yes|no}


Description

Controls login prompt response for an unauthenticated user who requests an objectprotected by a step-up authentication POP attribute.

Options

yes A value of "yes" provides multiple login prompts—one for each enabledauthentication method—on each login page.

no A value of "no" provides only the login prompt for the specificauthentication level required by the POP(default).

Usage


Default value

no

Exampleshow-all-auth-prompts = no

step-up-at-higher-level

Syntaxstep-up-at-higher-level = {yes|no}

Description

This configuration entry controls whether an authentication mechanism that ishigher than the requested step-up level is accepted during a step-up operation.

Options

yes Authentication levels higher than the level specified in the POP areaccepted during step-up operations.

no Higher authentication levels are disallowed during step-up operations.

Usage


Default value

no

Examplestep-up-at-higher-level = no

verify-step-up-user

Syntaxverify-step-up-user = {yes|no}


Description

Determines whether the identity of the user performing a step-up operation mustmatch the identity of the user that performed the previous authentication.

Options

yes The identity of the user performing the step-up operation must match theidentity of the user that performed the previous authentication. In thiscase, the existing session key will be retained during step-upauthentication. The value of the retain-stepup-session option controlswhether the existing session key will be retained during step-upauthentication.

no The identity of the user performing the step-up operation need not matchthe identity of the user that performed the previous authenticationoperation. In this case, the session key must change during step-upauthentication.

Usage


Default value

yes

Exampleverify-step-up-user = yes

[system-environment-variables] stanza

env-name

Syntaxenv-name = env-value

Description

Defines system environment variables that are exported by WebSEAL.

During initialization, the WebSEAL daemon exports the environment variables thatare defined as entries in the [system-environment-variables] stanza. You mustinclude a separate entry for each system environment variable that you want toexport.

Options

env-nameThe name of the system environment variable.

env-valueThe value of the system environment variable.


Usage


Note:

v This functionality is not supported on Windows platforms.v The environment variable names are case-sensitive.

Default value

None.

Example

The following example sets the LANG and GSK_TRACE_FILE environment variables.LANG = deGSK_TRACE_FILE = /tmp/gsk.trace

[tfimsso:<jct-id>] stanza

always-send-tokens

Syntaxalways-send-tokens = {yes|true|no|false}

Description

Indicates whether a security token should be sent for every HTTP request orwhether WebSEAL should wait for a 401 response before adding the securitytoken. This configuration item is used to avoid the unnecessary overhead ofgenerating and adding a security token to every request if the back-end Web serveris capable of maintaining user sessions. This configuration item is only useful if therequest for authentication involves a 401 response, which currently only applies toTFIM SSO.

Options

yes WebSEAL sends a security token for every HTTP request.

no WebSEAL waits for a 401 response before sending a security token for anHTTP request.

Usage

This stanza entry is required when TFIM SSO authentication is used overjunctions.

Default value

None

Examplealways-send-tokens = false


applies-to

Syntaxapplies-to = http://<webseal-server>/<junction>

Description

Path to specify the location to search for the appropriate Security Token Service(STS) module in Tivoli Federated Identity Manager.

Options

http://<webseal-server>/<junction>The host name or IP address of the WebSEAL server, along with thejunction name. This address is similar to the URL that is used to access thejunction.

Usage


Default value

None

Exampleapplies-to = http://webseal-server/jct

one-time-token

Syntaxone-time-token = {true | false}

Description

This boolean value is used to indicate whether the security token that is producedby TFIM is only valid for a single transaction. An example of a one-time-token is aKerberos token, which can only be used for a single authentication operation.

Usage


Default value

True.

Exampleone-time-token = false


preserve-xml-token

Syntaxpreserve-xml-token = {true | false}

Description

This value controls whether to use the requested BinarySecurityToken XMLstructure in its entirety or whether only the encapsulated token should be used. Setthis configuration entry to true only if the junctioned Web server understands andexpects the BinarySecurityToken XML structure.

Usage


Default value

True.

Examplepreserve-xml-token = false

renewal-window

Syntaxrenewal-window = number of seconds

Description

The length of time, in seconds, by which the expiration of security tokens will bereduced. This entry is used to make allowances for differences in system times andtransmission times for the security tokens.

Options

number of secondsNumber of seconds by which the expiration of security tokens will bereduced to make allowances for differences between system times andtransmission times for security tokens.

Usage


Default value

None

Examplerenewal-window = 15


service-name

Syntaxservice-name = <servicename>

Description1. Used by TFIM when searching for a matching trust chain. This configuration

entry will be compared against the configured AppliesTo service name valuefor each trust chain. The second field within the AppliesTo service nameconfiguration entry should be set to either asterisk (*) to match all servicenames, or it should be set to the value defined by this configuration item. Seethe TFIM documentation for further details on configuring Trust Chains.

2. Used as the service principal name of the delegating user when creating aKerberos token. The service principal name can be determined by executing theMicrosoft utility setspn (that is, setspn -L user, where user is the identity of theuser on the junctioned Web server).

Options

<service name>The service name which is used to locate the trust chain within TFIM.

Usage


Default value

Noneservice-name = HTTP/bigblue.wma.ibm.com

tfim-cluster-name

Syntaxtfim-cluster-name = name of cluster

Description

The name of the WebSphere cluster for the Tivoli Federated Identity Managerservice. The cluster is defined by this stanza entry along with a corresponding[tfim-cluster:<cluster>] stanza.

Options

name of clusterThe name of the WebSphere cluster that contains the Tivoli FederatedIdentity Manager service.

Usage



Default value

Nonetfim-cluster-name = wascluster01

token-collection-size

Syntaxtoken-collection-size = number

Description

Specifies the number of security tokens for WebSEAL to retrieve from TivoliFederated Identity Manager in a single request. This construct is currently onlysupported for the Kerberos STS module.

Note: The number value for this stanza entry should be relatively low. Each tokenretrieved from Tivoli Federated Identity Manager (TFIM) is quite large; specifyinga large number dramatically increases the size of the packets received from TFIM,which in turn increases the size of the session and the amount of memory used byWebSEAL.

Options

numberThe number of security tokens that WebSEAL will retrieve from TivoliFederated Identity Manager and cache for subsequent requests.

Usage


Default value

None

Exampletoken-collection-size = 10

token-type

Syntaxtoken-type = token_type

Description

Specifies the type of token to be requested from Tivoli Federated Identity Manager.This value should correspond to the 'Token Type URI' field for the correspondingtrust chain within TFIM.

Options

token_typeIndicates that the type of token to be requested from Tivoli FederatedIdentity Manager. Available options are Kerberos, SAML and LDAP.


Usage


Default value

None

Exampletoken-type = http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ

token-transmit-name

Syntaxtoken-transmit-name = text

Description

The name given to the security token within the junctioned Web server request.

Options

text This is a free text field.

Usage


Default value

None

Exampletoken-transmit-name = Authorization

token-transmit-type

Syntaxtoken-transmit-type = {header | cookie}

Description

The type of mechanism which will be used to transmit the security token to thejunctioned Web server.

Options

header The security token will be included in a header.

cookie The security token will be included in a cookie.


Usage


Default value

None

Exampletoken-transmit-type = header

[tfim-cluster:<cluster>] stanzaThis stanza contains definitions for a particular cluster of Tivoli Federated IdentityManager servers.

basic-auth-user

Syntaxbasic-auth-user = <user_name>

Description

Specifies the name of the user for WebSEAL to include in the basic authenticationheader when communicating with the Tivoli Federated Identity Manager server.

Options

<user_name>The user name that WebSEAL includes in the basic authentication header.

Usage


Note: Configure this entry if the Tivoli Federated Identity Manager server isconfigured to require basic authentication.

Default value

None.

Examplebasic-auth-user = user_name

basic-auth-passwd

Syntaxbasic-auth-passwd = <password>

Description

Specifies the password for WebSEAL to include in the basic authentication headerwhen communicating with the Tivoli Federated Identity Manager server.


Options

<password>The password that WebSEAL includes in the basic authentication header.

Usage


Note: Configure this entry if the Tivoli Federated Identity Manager server isconfigured to require basic authentication.

Default value

None.


gsk-attr-name


Description

Specify additional GSKit attributes to use when initializing an SSL connection withTivoli® Federated Identity Manager. A complete list of the available attributes isincluded in the GSKit SSL API documentation. This configuration entry can bespecified multiple times. Configure a separate entry for each GSKit attribute.

Options




Usage


You cannot configure the following restricted GSKit attributes:GSK_KEYRING_FILEGSK_KEYRING_STASH_FILEGSK_KEYRING_LABELGSK_CIPHER_V2GSK_V3_CIPHER_SPECSGSK_PROTOCOL_TLSV1GSK_FIPS_MODE_PROCESSING



Default value

None.

Example


See also

“gsk-attr-name” on page 60“gsk-attr-name” on page 284“jct-gsk-attr-name” on page 287

handle-idle-timeout

Syntaxhandle-idle-timeout = <number>

Description

Specifies the length of time, in seconds, before an idle handle is removed from thehandle pool cache.

Options

<number>Length of time, in seconds, before an idle handle is removed from thehandle pool cache.

Usage

This stanza entry is required when Kerberos authentication is used over junctions.

Default value

None


handle-pool-size

Syntaxhandle-pool-size = <number>

Description

Specifies the maximum number of cached handles that WebSEAL uses whencommunicating with Tivoli Federated Identity Manager.


Options

<number>Maximum number of handles that WebSEAL caches to communicate withTivoli Federated Identity Manager.

Usage


Default value

10


server


Description

Specifies the priority level and URL for a single Tivoli Federated Identity Managerserver that is a member of the cluster identified for this [tfim-cluster:<cluster>]stanza.

Options

[0-9] A digit, 0-9, that represents the priority of this server within the cluster (9is the highest, 0 is the lowest). If the priority is not specified, a priority of 9is assumed.


<URL>A well-formed HTTP or HTTPS uniform resource locator for the server.

Usage


Note: You can specify multiple server entries for a particular cluster for failoverand load balancing.

Default value

None

Exampleserver = 9,http://tfim-server.example.com/TrustServerWST13/services/RequestSecurityToken


ssl-fips-enabled


Description

Determines whether Federal Information Process Standards (FIPS) mode is enabledwith Tivoli Federated Identity Manager.

Note: If no configuration entry is present, the setting from the global setting,determined by the Access Manager policy server, takes effect.

Options

yes FIPS mode is enabled.

no FIPS mode is disabled.

Usage

This stanza entry is required if both of the following conditions are true:v One or more of the cluster server entries use SSL (that is, contains an HTTPS

protocol specification in the URL).v A certificate is required other than the default certificate used by WebSEAL


Note: If this entry is required, but it is not specified in the [tfim-cluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza.

Default value

None.

Note: If you want to use a FIPS level that is different to the Access Manager policyserver, edit the configuration file and specify a value for this entry.


ssl-keyfile

Syntaxssl-keyfile = <file_name>

Description

Specifies the name of the key database file that houses the client certificate forWebSEAL to use.


Options

<file_name>Name of the key database file that contains the client-side certificate forWebSEAL to use when Tivoli Federated Identity Manager single sign-on isenabled for the junction.

Usage





Default value

None.

Examplessl-keyfile = default-webseald.kdb

ssl-keyfile-label

Syntaxssl-keyfile-label = <label-name>

Description

Specifies the label of the client-side certificate in the key database.

Options

<label-name>Label of the client-side certificate in the key database.

Usage





Default value

None.


Examplessl-keyfile-label = WebSEAL-Test

ssl-keyfile-stash

Syntaxssl-keyfile-stash = <filename.sth>

Description

Specifies the name of the password stash file for the key database file.

Options

<filename.sth>The name of the password stash file for the key database file.

Usage





Default value

None.

Examplessl-keyfile-stash = default-webseald.sth

ssl-valid-server-dn

Syntaxssl-valid-server-dn = <DN-value>

Description

Specifies the distinguished name of the server, which is obtained from the serverSSL certificate, that WebSEAL can accept.

Options

<DN-value>The distinguished name of the server, which is obtained from the serverSSL certificate, that WebSEAL accepts. If no value is specified, thenWebSEAL considers all domain names valid. You can specify multipledomain names by including multiple ssl-valid-server-dn configurationentries.


Usage





Default value

None.

Examplessl-valid-server-dn = CN=Access Manager,OU=SecureWay,O=Tivoli,C=US

timeout

Syntaxtimeout = <number of seconds>

Description

Specifies the length of time, in seconds, to wait for a response from TivoliFederated Identity Manager.

Options

<number of seconds>The length of time, in seconds, to wait for a response from Tivoli FederatedIdentity Manager.

Usage


Default value

None.


[uraf-registry] stanza

bind-id

Syntaxbind-id = server_id


Description

An administrator or user login identity for the registry server that WebSEAL canuse to bind (sign on) to the registry server.

If the ID belongs to a user rather than an administrator, the user must haveprivileges to update and modify data in the user registry.

The WebSEAL configuration process generates this value. Do not change it.

Options

server_id

The server_id is an alphanumeric string that is not case-sensitive. Stringvalues must contain characters that are part of the local code set.

The underlying registry determines whether there are any limits on theminimum and maximum lengths of the ID. For Active Directory, themaximum length is 256 alphanumeric characters.

Usage

This stanza entry is required if you are not using an LDAP registry.

Default value

The default value is server-specific.

Examplebind-id = MySvrAdminID

cache-lifetime

Syntaxcache-lifetime = number_seconds

Description

Number of seconds that the objects are allowed to stay in the cache.

This stanza entry does not appear in the ivmgrd.conf configuration file becauseyou do not want the policy server object to be cached.

Options

number_secondsThe timeout specified in number of seconds. Use a number within therange of 1 to 86400. For performance tuning, the longer the time specified,the longer the repetitive Read advantage is held. A smaller number ofseconds negates the cache advantage for user-initiated Reads.

Usage



If cache-mode = enabled and this stanza entry is not used, the default value of 30seconds will be used.

Default value

30

Examplecache-lifetime = 63200

cache-mode

Syntaxcache-mode = {enabled|disabled}

Description

Mode for caching that represents the cache being either turned on or turned off.


Options

enabledTurns the cache on. You would enable the cache mode to improve theperformance of repetitive Read actions on a specified object, such as: loginperformance that is done more than once a day. Performance for Writeactions would not be improved.

disabledTurns the cache off. You would disable the cache mode for better security.Caching opens a small window for users to go from server to server inorder to bypass the maximum number of failed login attempts.

Usage

This stanza entry is optional. This stanza entry is normally provided for allSecurity Access Manager servers, except for the policy server pdmgrd.

Default value

enabled

Examplecache-mode = enabled

cache-size

Syntaxcache-size = {number_objects|object type:cache count value


Description

Maximum number of objects for a particular type of object that can be in the cacheat one time without hash table collisions. Or, if it is not numeric, it is a list of oneor more object types and their cache count values.


Options

number_objectsMaximum number of objects must be a prime number for the cache countvalues. Range value is from 3 to a maximum number that is logical for thetask and that does not affect performance. Non-prime numbers areautomatically rounded up to the next higher prime number. If the numberfails, the default value will be used.

object type:cache count valueList of one or more object types and their cache count values. Examples:cache-size = user:251;group:251;resgroup:251;resource:251;rescreds:251;

orcache-size = user:251;group:251;

The second example sets the user and group cache sizes to 251 and doesnot use any cache for the others.

Performance tuning depends on how much memory space is dedicated to a cacheor how many objects you typically have repetitive Read actions on (such as howmany users you have logging in a day). For example, a setting of 251 might not begood if you have 1000 users logging in and out several times a day. However, ifonly 200 of those users log in and out repetitively during the day, 251 might workwell.

Usage


If cache-mode = enabled and this stanza entry is not used, the default value forcache size will be used.

Default value

The default value is server-specific.

Examplecache-size = 251

[user-agent] stanza

user-agentSyntaxuser-agent = pattern


Description

When recording flow data statistics, WebSEAL can categorize the incomingrequests based on the user-agent string in the HTTP Request header. Categorizingrequests based on the user-agent can make the statistical data more useful.

Use this stanza to specify a list of category names and patterns for the user-agentstrings to match. You can repeat a category so that multiple patterns match a singlecategory. The patterns are evaluated in the order of their definition. WebSEALselects the first match to categorize each request.

Note: The stanza must always end with an entry that contains the match-allpattern *.

Options

pattern The appliance uses this pattern to categorize the incoming requests. Theappliance categorizes each request by matching the user-agent string valuein the HTTP Request header with the defined pattern list.

Note: The pattern can contain the wildcard characters * and ?. Thepatterns are not case-sensitive.

Usage


Default value

None.

Example

In this example, both Android and iOS user-agent strings match the MOBILEcategory. WebSEAL uses the SUNDRY category if a user-agent string does not matchany of the other defined patterns.INTERNET_EXPLORER = *msie*FIREFOX = *firefox*CHROME = *chrome*MOBILE = *android*MOBILE = *ios*SUNDRY = *


Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subjectto change without notice. Dealer prices may vary.

This information is for planning purposes only. The information herein is subject tochange before the products described become available.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment to


IBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment toIBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM's application programming interfaces.

Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:

© (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rightsreserved.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

Trademarks

IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at "Copyright andtrademark information" at www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Cell Broadband Engine and Cell/B.E. are trademarks of Sony ComputerEntertainment, Inc., in the United States, other countries, or both and is used underlicense therefrom.

Notices 327

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.


Index

Special characterspam-issue stanza entry

pam-resource: URI stanzaURIstanza 208

resource-name stanza entryhttp-transformations stanza 107

user-agent stanza entryuser-agent stanza 322

Aabsolute-uri-in-request-log stanza entry

logging stanza 171accept-client-certs stanza entry

certificate stanza 42access stanza entry

p3p-header stanza 194accessibility xivaccount-expiry-notification stanza entry

acnt-mgt stanza 1account-inactivated stanza entry

acnt-mgt stanza 1account-locked stanza entry

acnt-mgt stanza 2acnt-mgt stanza 1

account-expiry-notification entry 1account-inactivated entry 1account-locked entry 2allow-unauthenticated-logout entry 3allowed-referers entry 3cert-failure entry 4cert-stepup-http entry 5certificate-login entry 5change-password-auth entry 6client-notify-tod entry 6enable-html-redirect entry 7enable-local-response-redirect entry 7enable-passwd-warn entry 8enable-secret-token-validation

entry 9help entry 10html-redirect entry 11http-rsp-header entry 10login entry 11login-redirect-page entry 12login-success entry 13logout entry 13passwd-change entry 14passwd-change-failure entry 14passwd-change-success entry 15passwd-expired entry 15passwd-warn entry 16passwd-warn-failure entry 16redirect-to-root-for-pkms entry 17single-signoff-uri entry 17stepup-login entry 18switch-user entry 19temp-cache-response entry 19too-many-sessions entry 20

acnt-mgt stanza (continued)use-filename-for-pkmslogout

entry 21use-restrictive-logout-filenames

entry 20agents stanza entry

logging stanza 171allow-backend-domain-cookies stanza

entryjunction stanza 121, 128

allow-empty-form-fields stanza entryforms stanza 103

allow-shift-jis-chars stanza entryserver stanza 225

allow-unauth-ba-supply stanza entryserver stanza 225

allow-unauthenticated-logout stanzaentry

acnt-mgt stanza 3allow-unsolicited-logins stanza entry

server stanza 226allowed-referers stanza entry

acnt-mgt stanza 3always-send-tokens stanza entry

tfimsso: stanza 306applies-to stanza entry

tfimsso: stanza 307apply-tam-native-policy stanza entry

oauth-eas stanza 186rtss-eas stanza 213

attribute_name_pattern stanza entrycredential-refresh-attributes stanza 57

attribute_pattern stanza entrycdsso-incoming-attributes stanza 39ecsso-incoming-attributes stanza 85failover-add-attributes stanza 93failover-restore-attributes stanza 95,

96audit-attribute stanza entry

aznapi-configuration stanza 23audit-log-cfg stanza entry

rtss-eas stanza 214audit-mime-types stanza entry

logging stanza 172audit-response-codes stanza entry

logging stanza 172auditcfg stanza entry

aznapi-configuration stanza 23auditlog stanza entry

aznapi-configuration stanza 24auth-challenge-type stanza entry

server stanza 227auth-cookies stanza 21

cookie entry 21auth-timeout stanza entry

ldap stanza 152auth-using-compare stanza entry

ldap stanza 153authentication_level stanza entry

credential-refresh-attributes stanza 57authentication-levels stanza 22

authentication-levels stanza (continued)level entry 22

authtoken-lifetime stanza entrycdsso stanza 35

azn-decision-info stanza 33azn-decision-info stanza entry

azn-decision-info stanza 33aznapi-configuration stanza 23

audit-attribute entry 23auditcfg entry 23auditlog entry 24cache-refresh-interval entry 25cred-attribute-entitlement-services

entry 25dynamic-adi-entitlement-services

entry 26input-adi-xml-prolog entry 26listen-flags entry 27logaudit entry 27logcfg entry 28logclientid entry 28logflush entry 29logsize entry 30permission-info-returned entry 30policy-attr-separator entry 31policy-cache-size entry 31resource-manager-provided-adi

entry 32xsl-stylesheet-prolog entry 33

Bba stanza 34

ba-auth entry 34basic-auth-realm entry 35

ba-auth stanza entryba stanza 34

bad-gateway-rsp-file stanza entryoauth-eas stanza 187

bad-request-rsp-file stanza entryoauth-eas stanza 187

base-crypto-library stanza entryssl stanza 278

basic-auth-passwd stanza entrydsess-cluster stanza 59tfim-cluster: stanza 312xacml-cluster:cluster stanzacluster>]

stanza 217basic-auth-realm stanza entry

ba stanza 35basic-auth-user stanza entry

dsess-cluster stanza 59tfim-cluster: stanza 312xacml-cluster: stanza 217

basicauth-dummy-passwd stanza entryjunction stanza 122

bind-dn stanza entryldap stanza 153

bind-id stanza entryuraf-registry stanza 319


bind-pwd stanza entryldap stanza 154

Ccache-enabled stanza entry

ldap stanza 154cache-group-expire-time stanza entry

ldap stanza 155cache-group-membership stanza entry

ldap stanza 155cache-group-size stanza entry

ldap stanza 156cache-host-header stanza entry

server stanza 228cache-lifetime stanza entry

uraf-registry stanza 320cache-mode stanza entry

uraf-registry stanza 321cache-policy-expire-time stanza entry

ldap stanza 156cache-policy-size stanza entry

ldap stanza 157cache-refresh-interval stanza entry

aznapi-configuration stanza 25cache-requests-for-ecsso stanza entry

e-community-sso stanza 75cache-return-registry-id stanza entry

ldap stanza 157cache-size stanza entry

oauth-eas stanza 188uraf-registry stanza 321

cache-use-user-cache stanza entryldap stanza 159

cache-user-expire-time stanza entryldap stanza 158

cache-user-size stanza entryldap stanza 158

capitalize-content-length stanza entryserver stanza 229

categories stanza entryp3p-header stanza 195

cdsso stanza 35authtoken-lifetime entry 35cdsso-argument entry 36cdsso-auth entry 36cdsso-create entry 37clean-cdsso-urls entry 37propagate-cdmf-errors entry 38use-utf8 entry 38

cdsso-argument stanza entrycdsso stanza 36

cdsso-auth stanza entrycdsso stanza 36

cdsso-create stanza entrycdsso stanza 37

cdsso-incoming-attributes stanza 39attribute_pattern entry 39

cdsso-peers stanza 40fully_qualified_hostname entry 40

cdsso-token-attributes stanza 40domain_name entry 41entry 40

cert-cache-max-entries stanza entrycertificate stanza 42

cert-cache-timeout stanza entrycertificate stanza 43

cert-failure stanza entryacnt-mgt stanza 4

cert-map-authn stanza 47debug-level entry 47rules-file entry 47

cert-prompt-max-tries stanza entrycertificate stanza 43

cert-stepup-http stanza entryacnt-mgt stanza 5

certificate stanza 42accept-client-certs entry 42cert-cache-max-entries entry 42cert-cache-timeout entry 43cert-prompt-max-tries entry 43disable-cert-login-page entry 44, 46eai-data 45

certificate-login stanza entryacnt-mgt stanza 5

cfg-db-cmd:entries stanza 48cfg-db-cmd:files stanza 49

include entry 49change-password-auth stanza entry

acnt-mgt stanza 6chunk-responses stanza entry

server stanza 230clean-cdsso-urls stanza entry

cdsso stanza 37clean-ecsso-urls-for-failover stanza entry

failover stanza 87client-connect-timeout stanza entry

server stanza 229client-notify-tod stanza entry

acnt-mgt stanza 6cluster stanza 49

is-master entry 50master-name entry 50max-wait-time entry 51

cluster-name stanza entryoauth-eas stanza 188rtss-eas stanza 215

compress-mime-types stanza 51mime_type entry 51

compress-user-agents stanza 52pattern entry 52

concurrent-session-threads-hard-limitstanza entry

server stanza 230concurrent-session-threads-soft-limit

stanza entryserver stanza 231

connection-request-limit stanza entryserver stanza 231

content stanza 53utf8-template-macros-enabled

entry 53content-cache stanza 53

MIME_type entry 53content-encodings stanza 54

extension entry 54content-index-icons stanza 55

type entry 55context-id stanza entry

rtss-eas stanza 216cookie stanza entry

auth-cookies stanza 21cookie-domain stanza entry

ltpa stanza 180

cookie-name stanza entryltpa stanza 180

cope-with-pipelined-request stanza entryserver stanza 232

cred-attribute-entitlement-services stanzaentry

aznapi-configuration stanza 25credential-policy-attributes stanza 56

policy-name entry 56credential-refresh-attributes stanza 57

attribute_name_pattern entry 57authentication_level entry 57

crl-ldap-server stanza entryjunction stanza 122ssl stanza 278

crl-ldap-server-port stanza entryjunction stanza 123ssl stanza 279

crl-ldap-user stanza entryjunction stanza 123ssl stanza 280

crl-ldap-user-password stanza entryjunction stanza 124ssl stanza 280

DDB2 xiidebug-level stanza entry

cert-map-authn stanza 47decode-query stanza entry

server stanza 232default stanza entry

ssl-qop-mgmt-default stanza 300default-fed-id stanza entry

oauth-eas stanza 189default-mode stanza entry

oauth-eas stanza 189default-policy-override-support stanza

entryldap stanza 159

Disable local junctions 151disable-cert-login-page stanza entry

certificate stanza 44, 46disable-ec-cookie stanza entry

e-community-sso stanza 76disable-local-junctions 151disable-ssl-v2 stanza entry

junction stanza 124ssl stanza 281

disable-ssl-v3 stanza entryjunction stanza 125ssl stanza 281

disable-timeout-reduction stanza entryserver stanza 233

disable-tls-v1 stanza entryjunction stanza 125ssl stanza 282



disputes stanza entryp3p-header stanza 196


domain stanza entrysession-cookie-domains stanza 277

domain_name stanza entrycdsso-token-attributes stanza 41e-community-domain-keys stanza 74e-community-domain-keys:domain

stanza 75ecsso-token-attributes stanza 86

dont-reprocess-jct-404s stanza entryjunction stanza 127

double-byte-encoding stanza entryserver stanza 233

dsess stanza 58dsess-cluster-name entry 58dsess-sess-id-pool-size entry 58

dsess-cluster stanza 59basic-auth-passwd entry 59basic-auth-user entry 59gsk-attr-name entry 60handle-idle-timeout entry 61handle-pool-size entry 61response-by entry 62server entry 62ssl-fips-enabled entry 63ssl-keyfile entry 64ssl-keyfile-label entry 64ssl-keyfile-stash entry 65ssl-valid-server-dn entry 65timeout entry 66

dsess-cluster-name stanza entrydsess stanza 58

dsess-enabled stanza entrysession stanza 264

dsess-last-access-update-interval stanzaentry

session stanza 265dsess-sess-id-pool-size stanza entry

dsess stanza 58dynamic-adi-entitlement-services stanza

entryaznapi-configuration stanza 26

dynurl-allow-large-posts stanza entryserver stanza 234

dynurl-map stanza entryserver stanza 235

Ee-community-domain-keys stanza 74

domain_name entry 74e-community-domain-keys:domain

stanza 75domain_name entry 75

e-community-domains stanza 74name entry 74

e-community-name stanza entrye-community-sso stanza 76

e-community-sso stanza 75cache-requests-for-ecsso entry 75disable-ec-cookie entry 76e-community-name entry 76e-community-sso-auth entry 77ec-cookie-domain entry 77ec-cookie-lifetime entry 78ecsso-allow-unauth entry 78ecsso-propagate-errors entry 79handle-auth-failure-at-mas entry 79

e-community-sso stanza (continued)is-master-authn-server entry 80master-authn-server entry 80master-http-port entry 81master-https-port entry 82propagate-cdmf-errors entry 82use-utf8 entry 83vf-argument entry 83vf-token-lifetime entry 84vf-url entry 84

e-community-sso-auth stanza entrye-community-sso stanza 77

eai stanza 66eai-auth entry 66eai-auth-level-header entry 67eai-flags-header entry 67eai-pac-header entry 68eai-pac-svc-header entry 68eai-redir-url-header entry 69eai-session-id-header entry 69eai-user-id-header entry 70eai-verify-user-identity entry 70eai-xattrs-header entry 71retain-eai-session entry 72

eai-auth stanza entryeai stanza 66

eai-auth-level-header stanza entryeai stanza 67

eai-datacertificate stanza 45

eai-flags-header stanza entryeai stanza 67

eai-pac-header stanza entryeai stanza 68

eai-pac-svc-header stanza entryeai stanza 68

eai-redir-url-header stanza entryeai stanza 69

eai-session-id-header stanza entryeai stanza 69

eai-trigger-urls stanza 72trigger entry 72, 73

eai-user-id-header stanza entryeai stanza 70

eai-verify-user-identity stanza entryeai stanza 70

eai-xattrs-header stanza entryeai stanza 71

ec-cookie-domain stanza entrye-community-sso stanza 77

ec-cookie-lifetime stanza entrye-community-sso stanza 78

ecsso-allow-unauth stanza entrye-community-sso stanza 78

ecsso-incoming-attributes stanza 85attribute_pattern entry 85

ecsso-propagate-errors stanza entrye-community-sso stanza 79

ecsso-token-attributes stanza 86domain_name entry 86entry 86

education xivenable-duplicate-ssl-dn-not-found-msgs

stanza entryssl stanza 283

enable-failover-cookie-for-domain stanzaentry

failover stanza 88enable-html-redirect stanza entry

acnt-mgt stanza 7enable-IE6-2GB-downloads stanza entry

server stanza 235enable-local-response-redirect stanza

entryacnt-mgt stanza 7

enable-passwd-warn stanza entryacnt-mgt stanza 8

enable-redirects stanza 87redirect entry 87

enable-secret-token-validation stanzaentry

acnt-mgt stanza 9enabled stanza entry

ldap stanza 160enforce-max-sessions-policy stanza entry

session stanza 265entries 86

pam-issuepam-resource:URI stanza 208

resource-namehttp-transformations stanza 107

user-agentuser-agent stanza 322

absolute-uri-in-request-loglogging stanza 171

accept-client-certscertificate stanza 42

accessp3p-header stanza 194

account-expiry-notificationacnt-mgt stanza 1

account-inactivatedacnt-mgt stanza 1

account-lockedacnt-mgt stanza 2

agentslogging stanza 171

allow-backend-domain-cookiesjunction stanza 121, 128

allow-empty-form-fieldsforms stanza 103

allow-shift-jis-charsserver stanza 225

allow-unauth-ba-supplyserver stanza 225

allow-unauthenticated-logoutacnt-mgt stanza 3

allow-unsolicited-loginsserver stanza 226

allowed-referersacnt-mgt stanza 3

always-send-tokenstfimsso: jct-id stanza 306

applies-totfimsso: jct-id stanza 307

apply-tam-native-policyoauth-eas stanza 186rtss-eas stanza 213

attribute_name_patterncredential-refresh-attributes

stanza 57

Index 331

entries (continued)attribute_pattern

cdsso-incoming-attributesstanza 39

ecsso-incoming-attributesstanza 85

failover-add-attributes stanza 93failover-restore-attributes

stanza 95, 96audit-attribute

aznapi-configuration stanza 23audit-log-cfg

rtss-eas stanza 214audit-mime-types

logging stanza 172audit-response-codes

logging stanza 172auditcfg

aznapi-configuration stanza 23auditlog

aznapi-configuration stanza 24auth-challenge-type

server stanza 227auth-timeout

ldap stanza 152auth-using-compare

ldap stanza 153authentication_level

credential-refresh-attributesstanza 57

authtoken-lifetimecdsso stanza 35

azn-decision-infoazn-decision-info stanza 33

ba-authba stanza 34

bad-gateway-rsp-fileoauth-eas stanza 187

bad-request-rsp-fileoauth-eas stanza 187

base-crypto-libraryssl stanza 278

basic-auth-passwd[rtss-cluster:<cluster>] stanza 217dsess-cluster stanza 59tfim-cluster: cluster stanza 312

basic-auth-realmba stanza 35

basic-auth-userdsess-cluster stanza 59rtss-clustercluster stanza 217tfim-cluster: cluster stanza 312

basicauth-dummy-passwdjunction stanza 122

bind-dnldap stanza 153

bind-iduraf-registry stanza 319

bind-pwdldap stanza 154

cache-enabledldap stanza 154

cache-group-expire-timeldap stanza 155

cache-group-membershipldap stanza 155

entries (continued)cache-group-size

ldap stanza 156cache-host-header

server stanza 228cache-lifetime

uraf-registry stanza 320cache-mode

uraf-registry stanza 321cache-policy-expire-time

ldap stanza 156cache-policy-size

ldap stanza 157cache-refresh-interval

aznapi-configuration stanza 25cache-requests-for-ecsso

e-community-sso stanza 75cache-return-registry-id

ldap stanza 157cache-size

oauth-eas stanza 188uraf-registry stanza 321

cache-use-user-cacheldap stanza 159

cache-user-expire-timeldap stanza 158

cache-user-sizeldap stanza 158

capitalize-content-lengthserver stanza 229

categoriesp3p-header stanza 195

cdsso-argumentcdsso stanza 36

cdsso-authcdsso stanza 36

cdsso-createcdsso stanza 37

cdsso-token-attributes stanza 40cert-cache-max-entries

certificate stanza 42cert-cache-timeout

certificate stanza 43cert-failure

acnt-mgt stanza 4cert-prompt-max-tries

certificate stanza 43cert-stepup-http

acnt-mgt stanza 5certificate-login

acnt-mgt stanza 5change-password-auth

acnt-mgt stanza 6chunk-responses

server stanza 230clean-cdsso-urls

cdsso stanza 37clean-ecsso-urls-for-failover

failover stanza 87client-connect-timeout

server stanza 229client-notify-tod

acnt-mgt stanza 6cluster-name


entries (continued)concurrent-session-threads-hard-limit

server stanza 230concurrent-session-threads-soft-limit

server stanza 231connection-request-limit

server stanza 231context-id

rtss-eas stanza 216cookie

auth-cookies stanza 21cookie-domain

ltpa stanza 180cookie-name

ltpa stanza 180cope-with-pipelined-request

server stanza 232cred-attribute-entitlement-services

aznapi-configuration stanza 25crl-ldap-server

junction stanza 122ssl stanza 278

crl-ldap-server-portjunction stanza 123ssl stanza 279

crl-ldap-userjunction stanza 123ssl stanza 280

crl-ldap-user-passwordjunction stanza 124ssl stanza 280

debug-levelcert-map-authn stanza 47

decode-queryserver stanza 232

defaultssl-qop-mgmt-default stanza 300

default-fed-idoauth-eas stanza 189

default-modeoauth-eas stanza 189

default-policy-override-supportldap stanza 159

disable-cert-login-pagecertificate stanza 44, 46

disable-ec-cookiee-community-sso stanza 76

disable-ssl-v2junction stanza 124ssl stanza 281

disable-ssl-v3junction stanza 125ssl stanza 281

disable-timeout-reductionserver stanza 233

disable-tls-v1junction stanza 125ssl stanza 282



disputesp3p-header stanza 196


entries (continued)domain

session-cookie-domainsstanza 277

domain_namecdsso-token-attributes stanza 41e-community-domain-keys

stanza 74e-community-domain-keys:domain

stanza 75ecsso-token-attributes stanza 86

dont-reprocess-jct-404sjunction stanza 127

double-byte-encodingserver stanza 233

dsess-cluster-namedsess stanza 58

dsess-enabledsession stanza 264

dsess-last-access-update-intervalsession stanza 265

dsess-sess-id-pool-sizedsess stanza 58

dynamic-adi-entitlement-servicesaznapi-configuration stanza 26

dynurl-allow-large-postsserver stanza 234

dynurl-mapserver stanza 235

e-community-namee-community-sso stanza 76

e-community-sso-authe-community-sso stanza 77

eai-autheai stanza 66

eai-auth-level-headereai stanza 67

eai-datacertificate stanza 45

eai-flags-headereai stanza 67

eai-pac-headereai stanza 68

eai-pac-svc-headereai stanza 68

eai-redir-url-headereai stanza 69

eai-session-id-headereai stanza 69

eai-user-id-headereai stanza 70

eai-verify-user-identityeai stanza 70

eai-xattrs-headereai stanza 71

ec-cookie-domaine-community-sso stanza 77

ec-cookie-lifetimee-community-sso stanza 78

ecsso-allow-unauthe-community-sso stanza 78

ecsso-propagate-errorse-community-sso stanza 79

ecsso-token-attributes stanza 86enable-duplicate-ssl-dn-not-found-

msgsssl stanza 283

entries (continued)enable-failover-cookie-for-domain

failover stanza 88enable-html-redirect

acnt-mgt stanza 7enable-IE6-2GB-downloads

server stanza 235enable-local-response-redirect

acnt-mgt stanza 7enable-passwd-warn

acnt-mgt stanza 8enable-secret-token-validation

acnt-mgt stanza 9enabled

ldap stanza 160enforce-max-sessions-policy

session stanza 265env-name

system-environment-variablesstanza 305

extensioncontent-encodings stanza 54

failover-authfailover stanza 89

failover-cookie-lifetimefailover stanza 89

failover-cookies-keyfilefailover stanza 90

failover-include-session-idfailover stanza 90

failover-require-activity-timestamp-validation

failover stanza 91failover-require-lifetime-timestamp-

validationfailover stanza 91

failover-update-cookiefailover stanza 92

fed-id-paramoauth-eas stanza 190

filter-nonhtml-as-xhtmlserver stanza 236

fips-mode-processingssl stanza 284

flow-data-enabledflow-data stanza 102

flow-data-stats-intervalflow-data stanza 103

flush-timelogging stanza 173

force-tag-value-prefixserver stanza 236

forms-authforms stanza 104

fully_qualified_hostnamecdsso-peers stanza 40

gmt-timelogging stanza 173

gsk-attr-namedsess-cluster stanza 60ssl stanza 284tfim-cluster: cluster stanza 313

gsk-crl-cache-entry-lifetimessl stanza 286

gsk-crl-cache-sizessl stanza 286

entries (continued)gso-cache-enabled

gso-cache stanza 105gso-cache-entry-idle-timeout

gso-cache stanza 105gso-cache-entry-lifetime

gso-cache stanza 106gso-cache-size

gso-cache stanza 106handle-auth-failure-at-mas

e-community-sso stanza 79handle-idle-timeout

rtss-cluster:<cluster> stanza 218tfim-cluster: cluster stanza 314

handle-pool-size[rtss-cluster:<cluster>] stanza 218dsess-cluster stanza 61tfim-cluster: cluster stanza 314

headerfilter-request-headers stanza 99

header_namesession-http-headers stanza 277

helpacnt-mgt stanza 10

hostldap stanza 161

host-header-in-request-loglogging stanza 174

host-ipssl-qop-mgmt-hosts stanza 301

hostname-junction-cookiescript-filtering stanza 223

HTML_tagfilter-events stanza 97filter-url stanza 101

html-redirectacnt-mgt stanza 11

httpserver stanza 237

http-method-disabled-localserver stanza 237

http-method-disabled-remoteserver stanza 238

http-portserver stanza 238

http-rsp-headeracnt-mgt stanza 10

http-timeoutjunction stanza 129

httpsserver stanza 239

https-portserver stanza 239

https-timeoutjunction stanza 129

ignore-missing-last-chunkserver stanza 240

inactive-timeoutsession stanza 266

input-adi-xml-prologaznapi-configuration stanza 26

insert-client-real-ip-for-option-rjunction stanza 130

interface_nameinterfaces stanza 111

intra-connection-timeoutserver stanza 240

Index 333

entries (continued)io-buffer-size

junction stanza 130server stanza 241

ip-support-levelserver stanza 242

ipaddr-authipaddr stanza 120

ipv6-supportserver stanza 243

is-enableditim stanza 112

is-mastercluster stanza 50

is-master-authn-servere-community-sso stanza 80

itim-server-nameitim stanza 112

itim-servlet-contextitim stanza 113

jct-cert-keyfilejunction stanza 131

jct-cert-keyfile-pwdjunction stanza 133

jct-cert-keyfile-stashjunction stanza 132

jct-gsk-attr-namessl stanza 287

jct-ltpa-cookie-nameltpa stanza 181

jct-ocsp-enablejunction stanza 133

jct-ocsp-max-response-sizejunction stanza 134

jct-ocsp-nonce-check-enablejunction stanza 134

jct-ocsp-nonce-generation-enablejunction stanza 135

jct-ocsp-proxy-server-namejunction stanza 135

jct-ocsp-proxy-server-portjunction stanza 136

jct-ocsp-urljunction stanza 136

jct-ssl-reneg-warning-ratejunction stanza 137

jct-undetermined-revocation-cert-action

junction stanza 137jmt-map

junction stanza 138keydatabase-file

itim stanza 114keydatabase-password

itim stanza 114keydatabase-password-file

itim stanza 115keyfile

ltpa stanza 182late-lockout-notification

server stanza 243level

authentication-levels stanza 22listen-flags

aznapi-configuration stanza 27local-response-redirect-uri

local-response-redirect stanza 170

entries (continued)log-invalid-requests

logging stanza 174logaudit

aznapi-configuration stanza 27logcfg

aznapi-configuration stanza 28logclientid

aznapi-configuration stanza 28logflush

aznapi-configuration stanza 29login

acnt-mgt stanza 11login-failures-persistent

ldap stanza 161login-redirect-page

acnt-mgt stanza 12login-success

acnt-mgt stanza 13logout

acnt-mgt stanza 13logout-remove-cookie

session stanza 266logsize

aznapi-configuration stanza 30ltpa-auth

ltpa stanza 179, 182ltpa-cache-enabled

ltpa-cache stanza 183ltpa-cache-entry-idle-timeout

ltpa-cache stanza 184ltpa-cache-entry-lifetime

ltpa-cache stanza 184ltpa-cache-size

ltpa-cache stanza 185macro

local-response-macros stanza 169managed-cookies-list

junction stanza 139mangle-domain-cookies

junction stanza 139master-authn-server

e-community-sso stanza 80master-http-port

e-community-sso stanza 81master-https-port

e-community-sso stanza 82master-name

cluster stanza 50match-vhj-first

junction stanza 140max-cached-persistent-connections

junction stanza 140max-client-read

server stanza 244max-entries

session stanza 267max-file-cat-command-length

server stanza 244max-file-descriptors

server stanza 245max-idle-persistent-connections

server stanza 246max-search-size

ldap stanza 162max-size

logging stanza 175

entries (continued)max-wait-time

cluster stanza 51max-webseal-header-size

junction stanza 141mime_type

compress-mime-types stanza 51MIME_type

content-cache stanza 53mode-param

oauth-eas stanza 191mpa

mpa stanza 185name

e-community-domains stanza 74preserve-cookie-names stanza 209

network-interfaceserver stanza 246

network/netmaskssl-qop-mgmt-networks

stanza 302non-identifiable

p3p-header stanza 197obligation

obligations-levels-mappingstanza 193

ocsp-enablessl stanza 288

ocsp-max-response-sizessl stanza 289

ocsp-nonce-check-enablessl stanza 289

ocsp-nonce-generation-enablessl stanza 290

ocsp-proxy-server-namessl stanza 290

ocsp-proxy-server-portssl stanza 291

ocsp-urlssl stanza 291

one-time-tokentfimsso: jct-id stanza 307

p3p-elementp3p-header stanza 197

pam-coalescer-parameterPAM stanza 204

pam-disabled-issuesPAM stanza 206

pam-enabledPAM stanza 202

pam-http-parameterPAM stanza 203

pam-log-audit-eventsPAM stanza 206

pam-log-cfglogging stanza 205

pam-max-memoryPAM stanza 202

pam-resource-rulePAM stanza 207

pam-use-proxy-headerPAM stanza 203

pass-http-only-cookie-atrjunction stanza 142

passwd-changeacnt-mgt stanza 14


entries (continued)passwd-change-failure

acnt-mgt stanza 14passwd-change-success

acnt-mgt stanza 15passwd-expired

acnt-mgt stanza 15passwd-warn

acnt-mgt stanza 16passwd-warn-failure

acnt-mgt stanza 16pattern

compress-user-agents stanza 52permission-info-returned

aznapi-configuration stanza 30persistent-con-timeout

junction stanza 142server stanza 247

ping-methodjunction stanza 143

ping-timejunction stanza 144

ping-urijunction stanza 144

policy-attr-separatoraznapi-configuration stanza 31

policy-cache-sizeaznapi-configuration stanza 31

policy-namecredential-policy-attributes

stanza 56port

ldap stanza 163pre-410-compatible-tokens

server stanza 247pre-510-compatible-token

server stanza 248prefer-readwrite-server

ldap stanza 162preserve-base-href

server stanza 248preserve-base-href2

server stanza 249preserve-p3p-policy

server stanza 249preserve-xml-token

tfimsso:jct-id stanza 308principal-name

itim stanza 116principal-password

itim stanza 116process-root-requests

server stanza 250prompt-for-displacement

session stanza 268propagate-cdmf-errors

cdsso stanza 38e-community-sso stanza 82

purposep3p-header stanza 198

realm-nameoauth-eas stanza 191

reauth-at-any-levelreauthentication stanza 210

reauth-extend-lifetimereauthentication stanza 210

entries (continued)reauth-for-inactive

reauthentication stanza 211reauth-reset-lifetime

reauthentication stanza 211recipient

p3p-header stanza 199recovery-ping-time

junction stanza 145redirect

enable-redirects stanza 87redirect-to-root-for-pkms

acnt-mgt stanza 17redirect-using-relative

server stanza 250referers

logging stanza 175register-authentication-failures

session stanza 268reissue-missing-failover-cookie

failover stanza 92reject-invalid-host-header

server stanza 251reject-request-transfer-encodings

server stanza 252remedies

p3p-header stanza 200renewal-window

tfimsso: jct-id stanza 308replica

ldap stanza 163replica-set

replica-sets stanza 213reprocess-root-jct-404s

junction stanza 146request-body-max-read

server stanza 252request-log-format

logging stanza 176request-max-cache

server stanza 253requests

logging stanza 176require-mpa

session stanza 269resend-webseal-cookies

session stanza 269reset-cookies-list

junction stanza 146resource-manager-provided-adi

aznapi-configuration stanza 32response-by

dsess-cluster stanza 62response-code-rules

junction stanza 147retain-eai-session

eai stanza 72retain-stepup-session

step-up stanza 303retention

p3p-header stanza 201rewrite-absolute-with-absolute

script-filtering stanza 224root

process-root-filter stanza 209rules-file

cert-map-authn stanza 47

entries (continued)scheme

filter-schemes stanza 100script-filter

script-filtering stanza 224search-timeout

ldap stanza 164send-constant-sess

session stanza 270send-header-ba-first

server stanza 253send-header-spnego-first

server stanza 254server

[rtss-cluster:<cluster>] stanza 219dsess-cluster stanza 62tfim-cluster: cluster stanza 315

server-log-cfglogging stanza 178

server-nameheader-names stanza 107server stanza 255

service-nametfimsso: jct-id stanza 309

service-password-dnitim stanza 117

service-source-dnitim stanza 118

service-token-card-dnitim stanza 119

servlet-portitim stanza 120

session-activity-timestampfailover-add-attributes stanza 94

session-lifetime-timestampfailover-add-attributes stanza 94

share-cookiesjunction stanza 148

shared-domain-cookiesession stanza 270

show-all-auth-promptsstep-up stanza 303

single-signoff-uriacnt-mgt stanza 17

slash-before-query-on-redirectserver stanza 255

ssl-enabledldap stanza 165

ssl-fips-enableddsess-cluster stanza 63rtss-cluster:<cluster> stanza 220tfim-cluster:<cluster> stanza 316

ssl-id-sessionssession stanza 271

ssl-keyfile[rtss-cluster:<cluster>] stanza 220dsess-cluster stanza 64ldap stanza 165ssl stanza 292tfim-cluster: cluster stanza 316

ssl-keyfile-dnldap stanza 166

ssl-keyfile-label[rtss-cluster:<cluster>] stanza 221dsess-cluster stanza 64ssl stanza 292tfim-cluster:cluster stanza 317

Index 335

entries (continued)ssl-keyfile-pwd

ldap stanza 167ssl stanza 293

ssl-keyfile-stash[rtss-cluster:<cluster>] stanza 222ssl stanza 293tfim-cluster: cluster stanza 318

ssl-local-domainssl stanza 294

ssl-max-entriesssl stanza 294

ssl-portldap stanza 167

ssl-qop-mgmtssl-qop stanza 299

ssl-session-cookie-namesession stanza 271

ssl-v2-timeoutssl stanza 295

ssl-v3-timeoutssl stanza 296

ssl-valid-server-dndsess-cluster stanza 65rtss-cluster:<cluster> stanza 222tfim-cluster:cluster stanza 318

standard-junction-replica-setsession stanza 272

step-up-at-higher-levelstep-up stanza 304

stepup-loginacnt-mgt stanza 18

strip-www-authenticate-headersserver stanza 256

substringillegal-url-substrings stanza 110

support-virtual-host-domain-cookiesjunction stanza 148

suppress-backend-server-identityserver stanza 256

suppress-client-ssl-errorsssl stanza 296

suppress-dynurl-parsing-of-postsserver stanza 257

suppress-server-identityserver stanza 258

switch-useracnt-mgt stanza 19

tag-value-missing-attr-tagserver stanza 258

tcp-session-cookie-namesession stanza 272

temp-cache-responseacnt-mgt stanza 19

temp-session-cookie-namesession stanza 273

temp-session-max-lifetimesession stanza 273

terminate-on-reauth-lockoutreauthentication stanza 212

tfim-cluster-nametfimsso: jct-id stanza 309

timeout[rtss-cluster:<cluster>] stanza 223dsess-cluster stanza 66ldap stanza 168session stanza 274

entries (continued)timeout (continued)

tfim-cluster: cluster stanza 319token-collection-size

tfimsso: jct-id stanza 310token-transmit-name

tfimsso: jct-id stanza 311token-transmit-type

tfimsso: jct-id stanza 311token-type

tfimsso: jct-id stanza 310too-many-sessions

acnt-mgt stanza 20trace-component


triggereai-trigger-urls stanza 72, 73

typecontent-index-icons stanza 55filter-content-types stanza 96

unauthorized-rsp-fileoauth-eas stanza 192

undetermined-revocation-cert-actionssl stanza 297

update-session-cookie-in-login-requestsession stanza 275

use-existing-username-macro-in-custom-redirects

server stanza 259use-filename-for-pkmslogout

acnt-mgt stanza 21use-full-dn

ltpa stanza 183use-http-only-cookies

server stanza 259use-new-stateful-on-error

junction stanza 149use-restrictive-logout-filenames

acnt-mgt stanza 20use-same-session

session stanza 276use-utf8

cdsso stanza 38e-community-sso stanza 83failover stanza 93

user-and-group-in-same-suffixldap stanza 168

user-session-idssession stanza 275

user-session-ids-include-replica-setsession stanza 276

utf8-form-support-enabledserver stanza 260

utf8-qstring-support-enabledserver stanza 260

utf8-template-macros-enabledcontent stanza 53

utf8-url-support-enabledserver stanza 261

validate-backend-domain-cookiesjunction stanza 150

validate-query-as-gaserver stanza 261

verify-step-up-userstep-up stanza 304

entries (continued)vf-argument

e-community-sso stanza 83vf-token-lifetime

e-community-sso stanza 84vf-url

e-community-sso stanza 84web-host-name

server stanza 262web-http-port

server stanza 263web-http-protocol

server stanza 263webseal-cert-keyfile

ssl stanza 297webseal-cert-keyfile-label

ssl stanza 298webseal-cert-keyfile-pwd

ssl stanza 298webseal-cert-keyfile-stash

ssl stanza 299worker-thread-hard-limit

junction stanza 150worker-thread-soft-limit

junction stanza 151worker-threads

server stanza 264xsl-stylesheet-prolog

aznapi-configuration stanza 33entries dsess-cluster stanza

handle-idle-timeout 61ssl-keyfile-stash 65

env-name stanza entrysystem-environment-variables

stanza 305exclude stanza entry

cfg-db-cmd:entries stanza 48extension stanza entry

content-encodings stanza 54

Ffailover stanza 87

clean-ecsso-urls-for-failover entry 87enable-failover-cookie-for-domain

entry 88failover-auth entry 89failover-cookie-lifetime entry 89failover-cookies-keyfile entry 90failover-include-session-id entry 90failover-require-activity-timestamp-

validation entry 91failover-require-lifetime-timestamp-

validation entry 91failover-update-cookie entry 92reissue-missing-failover-cookie

entry 92use-utf8 entry 93

failover-add-attributes stanza 93attribute_pattern entry 93session-activity-timestamp entry 94session-lifetime-timestamp entry 94

failover-auth stanza entryfailover stanza 89

failover-cookie-lifetime stanza entryfailover stanza 89


failover-cookies-keyfile stanza entryfailover stanza 90

failover-include-session-id stanza entryfailover stanza 90

failover-require-activity-timestamp-validation stanza entry

failover stanza 91failover-require-lifetime-timestamp-

validation stanza entryfailover stanza 91

failover-restore-attributes stanza 95attribute_pattern entry 95, 96

failover-update-cookie stanza entryfailover stanza 92

fed-id-param stanza entryoauth-eas stanza 190

Federal Information Process Standards(FIPS)

ssl-fips-enabled stanza entry 63files

includecfg-db-cmd:files stanza 49

filter-content-types stanza 96type entry 96

filter-events stanza 97HTML_tag entry 97

filter-nonhtml-as-xhtml stanza entryserver stanza 236

filter-request-headers stanza 99header entry 99

filter-schemes stanza 100scheme entry 100

filter-url stanza 101HTML_tag entry 101

FIPS (Federal Information ProcessStandards )

ssl-fips-enabled stanza entry 63fips-mode-processing stanza entry

ssl stanza 284flow-data stanza 102

flow-data-enabled entry 102flow-data-stats-interval entry 103

flow-data-enabled stanza entryflow-data stanza 102

flow-data-stats-interval stanza entryflow-data stanza 103

flush-time stanza entrylogging stanza 173

force-tag-value-prefixstanza entryserver stanza 236

forms stanza 103allow-empty-form-fields entry 103forms-auth entry 104

forms-auth stanza entryforms stanza 104

fully_qualified_hostname stanza entrycdsso-peers stanza 40

Ggmt-time stanza entry

logging stanza 173gsk-attr-name stanza entry

dsess-cluster stanza 60ssl stanza 284tfim-cluster: cluster stanza 313

gsk-crl-cache-entry-lifetime stanza entryssl stanza 286

gsk-crl-cache-size stanza entryssl stanza 286

gskcapicmd xiigskikm.jar xiiGSKit

documentation xiigso-cache stanza 105

gso-cache-enabled entry 105gso-cache-entry-idle-timeout

entry 105gso-cache-entry-lifetime entry 106gso-cache-size entry 106

gso-cache-enabled stanza entrygso-cache stanza 105

gso-cache-entry-idle-timeout stanza entrygso-cache stanza 105

gso-cache-entry-lifetime stanza entrygso-cache stanza 106

gso-cache-size stanza entrygso-cache stanza 106

Hhandle-auth-failure-at-mas stanza entry

e-community-sso stanza 79handle-idle-timeout stanza entry

dsess-cluster stanza 61tfim-cluster: stanza 314xacml-cluster: stanza 218

handle-pool-size stanza entrydsess-cluster stanza 61tfim-cluster: cluster stanza 314xacml-cluster: cluster stanzacluster>]

stanza 218header stanza entry

filter-request-headers stanza 99header_name stanza entry

session-http-headers stanza 277header-names stanza 107

server-name entry 107help stanza entry

acnt-mgt stanza 10host stanza entry

ldap stanza 161host-header-in-request-log stanza entry

logging stanza 174host-ip stanza entry

ssl-qop-mgmt-hosts stanza 301hostname-junction-cookie stanza entry

script-filtering stanza 223HTML_tag stanza entry

filter-events stanza 97filter-url stanza 101

html-redirect stanza entryacnt-mgt stanza 11

http stanza entryserver stanza 237

http-method-disabled-local stanza entryserver stanza 237

http-method-disabled-remote stanza entryserver stanza 238

http-port stanza entryserver stanza 238

http-rsp-header stanza entryacnt-mgt stanza 10

http-timeout stanza entryjunction stanza 129

http-transformations stanza 107resource-name entry 107

https stanza entryserver stanza 239

https-port stanza entryserver stanza 239

https-timeout stanza entryjunction stanza 129

IIBM

Software Support xivSupport Assistant xiv

icap stanza 109ICAP stanza 109, 110ICAP: resource 109, 110ICAP:resource 109ignore-missing-last-chunk stanza entry

server stanza 240iKeyman xiiillegal-url-substrings stanza 110

substring entry 110inactive-timeout stanza entry

session stanza 266include stanza entry

cfg-db-cmd:files stanza 49input-adi-xml-prolog stanza entry

aznapi-configuration stanza 26insert-client-real-ip-for-option-r stanza

entryjunction stanza 130

interface_name stanza entryinterfaces stanza 111

interfaces stanza 111interface_name entry 111

internet content adaptation protocol 109,110

intra-connection-timeout stanza entryserver stanza 240

io-buffer-size stanza entryjunction stanza 130server stanza 241

ip-support-level stanza entryserver stanza 242

ipaddr stanzaipaddr-auth entry 120

ipaddr-auth stanza entryipaddr stanza 120

ipv6-support stanza entryserver stanza 243

is-enabled stanza entryitim stanza 112

is-master stanza entrycluster stanza 50

is-master-authn-server stanza entrye-community-sso stanza 80

itim stanza 112is-enabled entry 112itim-server-name entry 112itim-servlet-context entry 113keydatabase-file entry 114keydatabase-password entry 114keydatabase-password-file entry 115principal-name entry 116

Index 337

itim stanza (continued)principal-password entry 116service-password-dn entry 117service-source-dn entry 118service-token-card-dn entry 119servlet-port entry 120

itim-server-name stanza entryitim stanza 112

itim-servlet-context stanza entryitim stanza 113

Jjct-cert-keyfile stanza entry

junction stanza 131jct-cert-keyfile-pwd stanza entry

junction stanza 133jct-cert-keyfile-stash stanza entry

junction stanza 132jct-gsk-attr-name stanza entry

ssl stanza 287jct-ltpa-cookie-name stanza entry

ltpa stanza 181jct-ocsp-enable stanza entry

junction stanza 133jct-ocsp-max-response-size stanza entry

junction stanza 134jct-ocsp-nonce-check-enable stanza entry

junction stanza 134jct-ocsp-nonce-generation-enable stanza


jct-ocsp-proxy-server-name stanza entryjunction stanza 135

jct-ocsp-proxy-server-port stanza entryjunction stanza 136

jct-ocsp-url stanza entryjunction stanza 136

jct-ssl-reneg-warning-rate stanza entryjunction stanza 137

jct-undetermined-revocation-cert-actionstanza entry

junction stanza 137jdb-cmd:replace stanza 120jmt-map stanza entry

junction stanza 138junction stanza 121

allow-backend-domain-cookiesentry 121, 128

basicauth-dummy-passwd entry 122crl-ldap-server entry 122crl-ldap-server-port entry 123crl-ldap-user entry 123crl-ldap-user-password entry 124disable-ssl-v2 entry 124disable-ssl-v3 entry 125disable-tls-v1 entry 125disable-tls-v11 entry 126disable-tls-v12 entry 126dont-reprocess-jct-404s entry 127http-timeout entry 129https-timeout entry 129insert-client-real-ip-for-option-r

entry 130io-buffer-size entry 130jct-cert-keyfile entry 131jct-cert-keyfile-pwd entry 133

junction stanza (continued)jct-cert-keyfile-stash entry 132jct-ocsp-enable entry 133jct-ocsp-max-response-size entry 134jct-ocsp-nonce-check-enable

entry 134jct-ocsp-nonce-generation-enable

entry 135jct-ocsp-proxy-server-name entry 135jct-ocsp-proxy-server-port entry 136jct-ocsp-url entry 136jct-ssl-reneg-warning-rate entry 137jct-undetermined-revocation-cert-

action entry 137jmt-map entry 138managed-cookies-list entry 139mangle-domain-cookies entry 139match-vhj-first entry 140max-cached-persistent-connections

entry 140max-webseal-header-size entry 141pass-http-only-cookie-atr entry 142persistent-con-timeout entry 142ping-method entry 143ping-time entry 144ping-uri entry 144recovery-ping-time entry 145reprocess-root-jct-404s entry 146reset-cookies-list entry 146response-code-rules entry 147share-cookies entry 148support-virtual-host-domain-cookies

entry 148use-new-stateful-on-error entry 149validate-backend-domain-cookies

entry 150worker-thread-hard-limit entry 150worker-thread-soft-limit entry 151

junction:junction_name stanza 152

Kkey xiikeydatabase-file stanza entry

itim stanza 114keydatabase-password stanza entry

itim stanza 114keydatabase-password-file stanza entry

itim stanza 115keyfile stanza entry

ltpa stanza 182

Llate-lockout-notification stanza entry

server stanza 243LDAP server

on z/OS xiildap stanza 152

auth-timeout entry 152auth-using-compare entry 153bind-dn entry 153bind-pwd entry 154cache-enabled entry 154cache-group-expire-time entry 155cache-group-membership entry 155

ldap stanza (continued)cache-group-size entry 156cache-policy-expire-time entry 156cache-policy-size entry 157cache-return-registry-id entry 157cache-use-user-cache entry 159cache-user-expire-time entry 158cache-user-size entry 158default-policy-override-support

entry 159enabled entry 160host entry 161login-failures-persistent entry 161max-search-size entry 162port entry 163prefer-readwrite-server entry 162replica entry 163search-timeout entry 164ssl-enabled entry 165ssl-keyfile entry 165ssl-keyfile-dn entry 166ssl-keyfile-pwd entry 167ssl-port entry 167timeout entry 168user-and-group-in-same-suffix

entry 168level stanza entry

authentication-levels stanza 22listen-flags stanza entry

aznapi-configuration stanza 27local junctions

disable 151local-response-macros stanza 169

macro entry 169local-response-redirect stanza 170

local-response-redirect-uri entry 170local-response-redirect-uri stanza entry

local-response-redirect stanza 170log-invalid-requests stanza entry

logging stanza 174logaudit stanza entry

aznapi-configuration stanza 27logcfg stanza entry

aznapi-configuration stanza 28logclientid stanza entry

aznapi-configuration stanza 28logflush stanza entry

aznapi-configuration stanza 29logging stanza 171

absolute-uri-in-request-log entry 171agents entry 171audit-mime-types entry 172audit-response-codes entry 172flush-time entry 173gmt-time entry 173host-header-in-request-log entry 174log-invalid-requests entry 174max-size entry 175pam-log-cfg entry 205referers entry 175request-log-format entry 176requests entry 176server-log-cfg entry 178

login stanza entryacnt-mgt stanza 11

login-failures-persistent stanza entryldap stanza 161


login-redirect-page stanza entryacnt-mgt stanza 12

login-success stanza entryacnt-mgt stanza 13

logout stanza entryacnt-mgt stanza 13

logout-remove-cookie stanza entrysession stanza 266

logsize stanza entryaznapi-configuration stanza 30

ltpa stanza 179cookie-domain entry 180cookie-name entry 180jct-ltpa-cookie-name entry 181keyfile entry 182ltpa-auth entry 179, 182use-full-dn entry 183

ltpa-auth stanza entryltpa stanza 179, 182

ltpa-cache stanza 183ltpa-cache-enabled entry 183ltpa-cache-entry-idle-timeout

entry 184ltpa-cache-entry-lifetime entry 184ltpa-cache-size entry 185

ltpa-cache-enabled stanza entryltpa-cache stanza 183

ltpa-cache-entry-idle-timeout stanza entryltpa-cache stanza 184

ltpa-cache-entry-lifetime stanza entryltpa-cache stanza 184

ltpa-cache-size stanza entryltpa-cache stanza 185

Mmacro stanza entry

local-response-macros stanza 169managed-cookies-list stanza entry

junction stanza 139mangle-domain-cookies stanza entry

junction stanza 139master-authn-server stanza entry

e-community-sso stanza 80master-http-port stanza entry

e-community-sso stanza 81master-https-port stanza entry

e-community-sso stanza 82master-name stanza entry

cluster stanza 50match-vhj-first stanza entry

junction stanza 140max-cached-persistent-connectionse

stanza entryjunction stanza 140

max-client-read stanza entryserver stanza 244

max-entries stanza entrysession stanza 267

max-file-cat-command-length stanza entryserver stanza 244

max-file-descriptors stanza entryserver stanza 245

max-idle-persistent-connections stanzaentry

server stanza 246

max-search-size stanza entryldap stanza 162

max-size stanza entrylogging stanza 175

max-wait-time stanza entrycluster stanza 51

max-webseal-header-size stanza entryjunction stanza 141

mime_type stanza entrycompress-mime-types stanza 51

MIME_type stanza entrycontent-cache stanza 53

mode-param stanza entryoauth-eas stanza 191

mpa stanza 185mpa entry 185

mpa stanza entrympa stanza 185

Nname stanza entry

e-community-domains stanza 74preserve-cookie-names stanza 209

network-interface stanza entryserver stanza 246

network/netmask stanza entryssl-qop-mgmt-networks stanza 302

non-identifiable stanza entryp3p-header stanza 197

Ooauth-eas stanza 186

apply-tam-native-policy entry 186bad-gateway-rsp-file entry 187bad-request-rsp-file entry 187cache-size entry 188cluster-name entry 188default-fed-id entry 189default-mode entry 189fed-id-param entry 190mode-param entry 191realm-name entry 191trace-component entry 192unauthorized-rsp-file entry 192

obligation stanza entryobligations-levels-mapping

stanza 193obligations-levels-mapping stanza 193

obligation entry 193ocsp-enable stanza entry

ssl stanza 288ocsp-max-response-size stanza entry

ssl stanza 289ocsp-nonce-check-enable stanza entry

ssl stanza 289ocsp-nonce-generation-enable stanza

entryssl stanza 290

ocsp-proxy-server-name stanza entryssl stanza 290

ocsp-proxy-server-port stanza entryssl stanza 291

ocsp-url stanza entryssl stanza 291

one-time-token stanza entrytfimsso: stanza 307

onlinepublications ixterminology ix

Pp3p-element stanza entry

p3p-header stanza 197p3p-header stanza 194

access entry 194categories entry 195disputes entry 196non-identifiable entry 197p3p-element entry 197purpose entry 198recipient entry 199remedies entry 200retention entry 201

PAM stanza 202pam-coalescer-parameter entry 204pam-disabled-issues entry 206pam-enabled entry 202pam-http-parameter entry 203pam-log-audit-events entry 206pam-max-memory entry 202pam-resource-rule entry 207pam-use-proxy-header entry 203

pam-coalescer-parameter stanza entryPAM stanza 204

pam-disabled-issues stanza entryPAM stanza 206

pam-enabled stanza entryPAM stanza 202

pam-http-parameter stanza entryPAM stanza 203

pam-log-audit-events stanza entryPAM stanza 206

pam-log-cfg stanza entrylogging stanza 205

pam-max-memory stanza entryPAM stanza 202

pam-resource-rule entryPAM stanza 207

pam-resource:URI stanza<URI>stanza 208

pam-resource:URI stanzaURI stanzapam-issue entry 208

pam-use-proxy-header stanza entryPAM stanza 203

pass-http-only-cookie-atr stanza entryjunction stanza 142

passwd-change stanza entryacnt-mgt stanza 14

passwd-change-failure stanza entryacnt-mgt stanza 14

passwd-change-success stanza entryacnt-mgt stanza 15

passwd-expired stanza entryacnt-mgt stanza 15

passwd-warn stanza entryacnt-mgt stanza 16

passwd-warn-failure stanza entryacnt-mgt stanza 16

pattern stanza entrycompress-user-agents stanza 52

Index 339

permission-info-returned stanza entryaznapi-configuration stanza 30

persistent-con-timeout stanza entryjunction stanza 142server stanza 247

ping-method stanza entryjunction stanza 143

ping-time stanza entryjunction stanza 144

ping-uri stanza entryjunction stanza 144

policy-attr-separator stanza entryaznapi-configuration stanza 31

policy-cache-size stanza entryaznapi-configuration stanza 31

policy-name stanza entrycredential-policy-attributes stanza 56

port stanza entryldap stanza 163

pre-410-compatible-tokens stanza entryserver stanza 247

pre-510-compatible-token stanza entryserver stanza 248

prefer-readwrite-server stanza entryldap stanza 162

preserve-base-href stanza entryserver stanza 248

preserve-base-href2 stanza entryserver stanza 249

preserve-cookie-names stanza 209name entry 209

preserve-p3p-policy stanza entryserver stanza 249

preserve-xml-token stanza entrytfimsso: stanza 308

principal-name stanza entryitim stanza 116

principal-password stanza entryitim stanza 116

problem-determination xivprocess-root-filter stanza 209

root entry 209process-root-requests stanza entry

server stanza 250prompt-for-displacement stanza entry

session stanza 268propagate-cdmf-errors stanza entry

cdsso stanza 38e-community-sso stanza 82

publicationsaccessing online ixlist of for this product ix

purpose stanza entryp3p-header stanza 198

Rrealm-name stanza entry

oauth-eas stanza 191reauth-at-any-level stanza entry

reauthentication stanza 210reauth-extend-lifetime stanza entry

reauthentication stanza 210reauth-for-inactive stanza entry

reauthentication stanza 211reauth-reset-lifetime stanza entry

reauthentication stanza 211

reauthentication stanza 210reauth-at-any-level entry 210reauth-extend-lifetime entry 210reauth-for-inactive entry 211reauth-reset-lifetime entry 211terminate-on-reauth-lockout

entry 212recipient stanza entry

p3p-header stanza 199recovery-ping-time stanza entry

junction stanza 145redirect stanza entry

enable-redirects stanza 87redirect-to-root-for-pkms stanza entry

acnt-mgt stanza 17redirect-using-relative stanza entry

server stanza 250referers stanza entry

logging stanza 175register-authentication-failures stanza

entrysession stanza 268

reissue-missing-failover-cookie stanzaentry

failover stanza 92reject-invalid-host-header stanza entry

server stanza 251reject-request-transfer-encodings stanza

entryserver stanza 252

remedies stanza entryp3p-header stanza 200

renewal-window stanza entrytfimsso: stanza 308

replica stanza entryldap stanza 163

replica-set stanza entryreplica-sets stanza 213

replica-sets stanza 213replica-set entry 213

reprocess-root-jct-404s stanza entryjunction stanza 146

request-body-max-read stanza entryserver stanza 252

request-log-format stanza entrylogging stanza 176

request-max-cache stanza entryserver stanza 253

requests stanza entrylogging stanza 176

require-mpa stanza entrysession stanza 269

resend-webseal-cookies stanza entrysession stanza 269

reset-cookies-list stanza entryjunction stanza 146

resource-manager-provided-adi stanzaentry

aznapi-configuration stanza 32response-by stanza entry

dsess-cluster stanza 62response-code-rules entry

junction stanza 147retain-eai-session stanza entry

eai stanza 72retain-stepup-session stanza entry

step-up stanza 303

retention stanza entryp3p-header stanza 201

rewrite-absolute-with-absolute stanzaentry

script-filtering stanza 224root stanza entry

process-root-filter stanza 209rtss-eas stanza

apply-tam-native-policy entry 213audit-log-cfg entry 214cluster-name entry 215context-id entry 216trace-component entry 216

rtss-eas stanza rtss-easstanzas 213

rules-file stanza entrycert-map-authn stanza 47

Sscheme stanza entry

filter-schemes stanza 100script-filter stanza entry

script-filtering stanza 224script-filtering stanza 223

hostname-junction-cookie entry 223rewrite-absolute-with-absolute

entry 224script-filter entry 224

search-timeout stanza entryldap stanza 164

send-constant-sess stanza entrysession stanza 270

send-header-ba-first stanza entryserver stanza 253

send-header-spnego-first stanza entryserver stanza 254

server stanza 225allow-shift-jis-chars entry 225allow-unauth-ba-supply 225allow-unsolicited-logins 226auth-challenge-type entry 227cache-host-header entry 228capitalize-content-length entry 229chunk-responses entry 230client-connect-timeout entry 229concurrent-session-threads-hard-limit

entry 230concurrent-session-threads-soft-limit

entry 231connection-request-limit entry 231cope-with-pipelined-request

entry 232decode-query entry 232disable-timeout-reduction entry 233double-byte-encoding entry 233dynurl-allow-large-posts entry 234dynurl-map entry 235enable-IE6-2GB-downloads entry 235filter-nonhtml-as-xhtml entry 236force-tag-value-prefix entry 236http entry 237http-method-disabled-local entry 237http-method-disabled-remote

entry 238http-port entry 238https entry 239


server stanza (continued)https-port entry 239ignore-missing-last-chunk entry 240intra-connection-timeout entry 240io-buffer-size entry 241ip-support-level entry 242ipv6-support entry 243late-lockout-notification entry 243max-client-read entry 244max-file-cat-command-length

entry 244max-file-descriptors entry 245max-idle-persistent-connections

entry 246network-interface entry 246persistent-con-timeout entry 247pre-410-compatible-tokens entry 247pre-510-compatible-token entry 248preserve-base-href entry 248preserve-base-href2 entry 249preserve-p3p-policy entry 249process-root-requests entry 250redirect-using-relative entry 250reject-invalid-host-header entry 251reject-request-transfer-encodings

entry 252request-body-max-read entry 252request-max-cache entry 253send-header-ba-first 253send-header-spnego-first 254server-name entry 255slash-before-query-on-redirect

entry 255strip-www-authenticate-headers

entry 256suppress-backend-server-identity

entry 256suppress-dynurl-parsing-of-posts

entry 257suppress-server-identity entry 258tag-value-missing-attr-tag entry 258use-existing-username-macro-in-

custom-redirects entry 259use-http-only-cookies entry 259utf8-form-support-enabled entry 260utf8-qstring-support-enabled

entry 260utf8-url-support-enabled entry 261validate-query-as-ga entry 261web-host-name entry 262web-http-port entry 263web-http-protocol entry 263worker-threads entry 264

server stanza entrydsess-cluster stanza 62tfim-cluster: cluster stanzacluster

stanza 315xacml-cluster: cluster stanzacluster>]

stanza 219server-log-cfg stanza entry

logging stanza 178server-name stanza entry

header-names stanza 107server stanza 255

service-name stanza entrytfimsso: jct-id stanza 309

service-password-dn stanza entryitim stanza 117

service-source-dn stanza entryitim stanza 118

service-token-card-dn stanza entryitim stanza 119

servlet-port stanza entryitim stanza 120

session stanza 264dsess-enabled entry 264dsess-last-access-update-interval

entry 265enforce-max-sessions-policy

entry 265inactive-timeout entry 266logout-remove-cookie entry 266max-entries entry 267prompt-for-displacement entry 268register-authentication-failures

entry 268require-mpa entry 269resend-webseal-cookies entry 269send-constant-sess entry 270shared-domain-cookie entry 270ssl-id-sessions entry 271ssl-session-cookie-name entry 271standard-junction-replica-set

entry 272tcp-session-cookie-name entry 272temp-session-cookie-name entry 273temp-session-max-lifetime entry 273timeout entry 274update-session-cookie-in-login-request

entry 275use-same-session entry 276user-session-ids entry 275user-session-ids-include-replica-set

entry 276session-activity-timestamp stanza entry

failover-add-attributes stanza 94session-cookie-domains stanza 277

domain entry 277session-http-headers stanza 277

header_name entry 277session-lifetime-timestamp stanza entry

failover-add-attributes stanza 94share-cookies stanza entry

junction stanza 148shared-domain-cookie stanza entry

session stanza 270show-all-auth-prompts stanza entry

step-up stanza 303single-signoff-uri stanza entry

acnt-mgt stanza 17slash-before-query-on-redirect stanza


ssl stanza 278base-crypto-library entry 278crl-ldap-server entry 278crl-ldap-server-port entry 279crl-ldap-user entry 280crl-ldap-user-password entry 280disable-ssl-v2 entry 281disable-ssl-v3 entry 281disable-tls-v1 entry 282disable-tls-v11 entry 282

ssl stanza (continued)disable-tls-v12 entry 283enable-duplicate-ssl-dn-not-found-

msgs entry 283fips-mode-processing entry 284gsk-attr-name entry 284gsk-crl-cache-entry-lifetime entry 286gsk-crl-cache-size entry 286jct-gsk-attr-name entry 287ocsp-enable entry 288ocsp-max-response-size entry 289ocsp-nonce-check-enable entry 289ocsp-nonce-generation-enable

entry 290ocsp-proxy-server-name entry 290ocsp-proxy-server-port entry 291ocsp-url entry 291ssl-keyfile entry 292ssl-keyfile-label entry 292ssl-keyfile-pwd entry 293ssl-keyfile-stash entry 293ssl-local-domain entry 294ssl-max-entries entry 294ssl-v2-timeout entry 295ssl-v3-timeout entry 296suppress-client-ssl-errors entry 296undetermined-revocation-cert-action

entry 297webseal-cert-keyfile entry 297webseal-cert-keyfile-label entry 298webseal-cert-keyfile-pwd entry 298webseal-cert-keyfile-stash entry 299

ssl-enabled stanza entryldap stanza 165

ssl-fips-enabled stanza entrydsess-cluster stanza 63tfim-cluster:cluster stanzacluster>

stanza 316xacml-cluster:cluster stanzacluster>

stanza 220ssl-id-sessions stanza entry

session stanza 271ssl-keyfile stanza entry

dsess-cluster stanza 64ldap stanza 165ssl stanza 292tfim-cluster: stanza 316xacml-cluster:cluster stanzacluster>]

stanza 220ssl-keyfile-dn stanza entry

ldap stanza 166ssl-keyfile-label stanza entry

dsess-cluster stanza 64ssl stanza 292tfim-cluster: stanza 317xacml-cluster:cluster stanzacluster>]

stanza 221ssl-keyfile-pwd stanza entry

ldap stanza 167ssl stanza 293

ssl-keyfile-stash stanza entrydsess-cluster stanza 65ssl stanza 293xacml-cluster:cluster stanzacluster>]

stanza 222

Index 341

ssl-keyfile-stash stanza entry clusterstanza

tfim-cluster: stanza 318ssl-local-domain stanza entry

ssl stanza 294ssl-max-entries stanza entry

ssl stanza 294ssl-port stanza entry

ldap stanza 167ssl-qop stanza 299

ssl-qop-mgmt entry 299ssl-qop-mgmt stanza entry

ssl-qop stanza 299ssl-qop-mgmt-default stanza 300

default entry 300ssl-qop-mgmt-hosts stanza 301

host-ip entry 301ssl-qop-mgmt-networks stanza 302

network/netmask entry 302ssl-session-cookie-name stanza entry

session stanza 271ssl-v2-timeout stanza entry

ssl stanza 295ssl-v3-timeout stanza entry

ssl stanza 296ssl-valid-server-dn stanza entry

dsess-cluster stanza 65tfim-cluster:cluster stanzacluster

stanza 318xacml-cluster:cluster stanzacluster>

stanza 222standard-junction-replica-set stanza entry

session stanza 272stanza

ICAP: resource 109tfim-cluster: cluster 312xacml-cluster: 217

StanzaICAP:resource 109

stanza cluster 218stanza entry 40, 48, 86stanza reference 1stanzas

acnt-mgt 1auth-cookies 21authentication-levels 22azn-decision-info 33aznapi-configuration 23ba 34cdsso 35cdsso-incoming-attributes 39cdsso-peers 40cdsso-token-attributes 40cert-map-authn 47certificate 42cfg-db-cmd:entries 48cfg-db-cmd:files 49cluster 49compress-mime-types 51compress-user-agents 52content 53content-cache 53content-encodings 54content-index-icons 55credential-policy-attributes 56credential-refresh-attributes 57dsess 58

stanzas (continued)dsess-cluster 59e-community-domain-keys 74e-community-domain-

keys:domain 75e-community-domains 74e-community-sso 75eai 66eai-trigger-urls 72ecsso-incoming-attributes 85ecsso-token-attributes 86enable-redirects 87failover 87failover-add-attributes 93failover-restore-attributes 95filter-content-types 96filter-events 97filter-request-headers 99filter-schemes 100filter-url 101flow-data 102forms 103gso-cache 105header-names 107http-transformations 107icap 109illegal-url-substrings 110interfaces 111itim 112junction 121junction:junction_name 152ldap 152local-response-macros 169local-response-redirect 170logging 171ltpa 179ltpa-cache 183mpa 185oauth-eas 186obligations-levels-mapping 193p3p-header 194PAM 202pam-resource:<URI> 208preserve-cookie-names 209process-root-filter 209reauthentication 210replica-sets 213script-filtering 223server 225session 264session-cookie-domains 277session-http-headers 277ssl 278ssl-qop 299ssl-qop-mgmt-default 300ssl-qop-mgmt-hosts 301ssl-qop-mgmt-networks 302step-up 303system-environment-variables 305tfimsso: 306uraf-registry 319user-agent 322

step-up stanza 303retain-stepup-session entry 303show-all-auth-prompts entry 303step-up-at-higher-level entry 304verify-step-up-user entry 304

step-up-at-higher-level stanza entrystep-up stanza 304

stepup-login stanza entryacnt-mgt stanza 18

strip-www-authenticate-headers stanzaentry

server stanza 256substring stanza entry

illegal-url-substrings stanza 110support-virtual-host-domain-cookies

stanza entryjunction stanza 148

suppress-backend-server-identity stanzaentry

server stanza 256suppress-client-ssl-errors stanza entry

ssl stanza 296suppress-dynurl-parsing-of-posts stanza


suppress-server-identity stanza entryserver stanza 258

switch-user stanza entryacnt-mgt stanza 19

system-environment-variablesstanza 305

env-name entry 305

Ttag-value-missing-attr-tag stanza entry

server stanza 258tcp-session-cookie-name stanza entry

session stanza 272temp-cache-response stanza entry

acnt-mgt stanza 19temp-session-cookie-name stanza entry

session stanza 273temp-session-max-lifetime stanza entry

session stanza 273terminate-on-reauth-lockout stanza entry

reauthentication stanza 212terminology ixtfim-cluster-name stanza entry

tfimsso: stanza 309tfim-cluster: cluster stanza

basic-auth-passwd entry 312basic-auth-user entry 312gsk-attr-name entry 313handle-idle-timeout entry 314handle-pool-size entry 314ssl-keyfile entry 316timeout entry 319

tfim-cluster: cluster stanzaclusterstanza 312

server entry 315ssl-keyfile-label entry 317ssl-keyfile-stash entry 318ssl-valid-server-dn entry 318

tfim-cluster: cluster stanzacluster> stanzassl-fips-enabled entry 316

tfimsso: jct-id stanza 306always-send-tokens entry 306applies-to entry 307one-time-token entry 307preserve-xml-token entry 308renewal-window entry 308


tfimsso: jct-id stanza (continued)service-name entry 309tfim-cluster-name entry 309token-collection-size entry 310token-transmit-name entry 311token-transmit-type entry 311token-type entry 310

timeout stanza entrydsess-cluster stanza 66ldap stanza 168session stanza 274tfim-cluster: stanza 319xacml-cluster: cluster stanzacluster>]

stanza 223Tivoli Directory Integrator xiiTivoli Directory Server xiitoken-collection-size stanza entry

tfimsso: stanza 310token-transmit-name stanza entry

tfimsso: stanza 311token-transmit-type stanza entry

tfimsso: stanza 311token-type stanza entry

tfimsso: stanza 310too-many-sessions stanza entry

acnt-mgt stanza 20trace-component stanza entry


training xivtrigger stanza entry

eai-trigger-urls stanza 72, 73troubleshooting xivtstanza

ICAP:resource 110type stanza entry

content-index-icons stanza 55filter-content-types stanza 96

Uunauthorized-rsp-file stanza entry

oauth-eas stanza 192undetermined-revocation-cert-action

stanza entryssl stanza 297

update-session-cookie-in-login-requeststanza entry

session stanza 275uraf-registry stanza 319

bind-id entry 319cache-lifetime entry 320cache-mode entry 321cache-size entry 321

use-existing-username-macro-in-custom-redirects stanza entry

server stanza 259use-filename-for-pkmslogout stanza entry

acnt-mgt stanza 21use-full-dn stanza entry

ltpa stanza 183use-http-only-cookies stanza entry

server stanza 259use-new-stateful-on-error stanza entry

junction stanza 149

use-restrictive-logout-filenames stanzaentry

acnt-mgt stanza 20use-same-session stanza entry

session stanza 276use-utf8 stanza entry

cdsso stanza 38e-community-sso stanza 83failover stanza 93

user-agent stanza 322user-agent entry 322

user-and-group-in-same-suffix stanzaentry

ldap stanza 168user-session-ids stanza entry

session stanza 275user-session-ids-include-replica-set stanza

entrysession stanza 276

utf8-form-support-enabled stanza entryserver stanza 260

utf8-qstring-support-enabled stanza entryserver stanza 260

utf8-template-macros-enabled stanzaentry

content stanza 53utf8-url-support-enabled stanza entry

server stanza 261

Vvalidate-backend-domain-cookies stanza


validate-query-as-ga stanza entryserver stanza 261

verify-step-up-user stanza entrystep-up stanza 304

vf-argument stanza entrye-community-sso stanza 83

vf-token-lifetime stanza entrye-community-sso stanza 84

vf-url stanza entrye-community-sso stanza 84

Wweb-host-name stanza entry

server stanza 262web-http-port stanza entry

server stanza 263web-http-protocol stanza entry

server stanza 263webseal-cert-keyfile stanza entry

ssl stanza 297webseal-cert-keyfile-label stanza entry

ssl stanza 298webseal-cert-keyfile-pwd stanza entry

ssl stanza 298webseal-cert-keyfile-stash stanza entry

ssl stanza 299WebSphere Application Server Network

Deployment xiiWebSphere eXtreme Scale xiiworker-thread-hard-limit stanza entry

junction stanza 150

worker-thread-soft-limit stanza entryjunction stanza 151

worker-threads stanza entryserver stanza 264

Xxacml-cluster: cluster stanza 217xacml-cluster: cluster stanzacluster stanza

handle-idle-timeout entry 218xacml-cluster: cluster stanzacluster>

stanzabasic-auth-user entry 217ssl-fips-enabled entry 220ssl-valid-server-dn entry 222

xacml-cluster:cluster stanzacluster>]stanza

basic-auth-passwd entry 217handle-pool-size entry 218server entry 219ssl-keyfile entry 220ssl-keyfile-label entry 221ssl-keyfile-stash entry 222timeout entry 223

xsl-stylesheet-prolog stanza entryaznapi-configuration stanza 33

Index 343

��

Printed in USA

SC27-4443-00

web reverse proxy stanza reference - ibm · ibm securityweb gatewayappliance version 7.0 web...

Documents